From owner-freebsd-security@FreeBSD.ORG Tue Jan 16 08:43:24 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 991D316A47C; Tue, 16 Jan 2007 08:43:24 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id BB48313C474; Tue, 16 Jan 2007 08:43:23 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id CA663487F0; Tue, 16 Jan 2007 09:43:21 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 9F09445685; Tue, 16 Jan 2007 09:43:16 +0100 (CET) Date: Tue, 16 Jan 2007 09:42:43 +0100 From: Pawel Jakub Dawidek To: Bruce Evans Message-ID: <20070116084243.GA1117@garage.freebsd.pl> References: <45A6DB76.40800@freebsd.org> <20070113112937.GI90718@garage.freebsd.pl> <45ABDC7C.6060407@erdgeist.org> <20070115210826.GA2839@garage.freebsd.pl> <45ABEEEE.4030609@erdgeist.org> <20070115220039.GB2839@garage.freebsd.pl> <45AC29EA.70009@erdgeist.org> <45AC2E9F.20901@freebsd.org> <45AC35A6.7090103@erdgeist.org> <20070116133259.N5056@delplex.bde.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <20070116133259.N5056@delplex.bde.org> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, Dirk Engling , Colin Percival Subject: Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 08:43:24 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 16, 2007 at 02:42:17PM +1100, Bruce Evans wrote: > On Tue, 16 Jan 2007, Dirk Engling wrote: >=20 > >Colin Percival wrote: > > > >>No. `cp -f` unlinks the existing file and creates a new file, but will > >>still follow a symlink if one is created between the "unlink" syscall a= nd > >>the "open" syscall. > >... > >You are right. Atomically in binary is not atomical enough. > > > >mv in its rename()-form will do the job, so we need to create a file in > >. by mktemp and mv it to the real name when filled. >=20 > install -S already implements this, but not robustly enough to be secure. > It only creates the temporary file if the target doesn't already exists, > so it is subject to the usual races otherwise. 'S' stands for "safe" > (no-clobber), not secure, so this is reasonable. However, it can easily > be made both safer (actually no-clobber) and securer by opening the file > with O_EXCL and exiting if the file exists at the time of the open. > Perhaps cp -f should do the same. (Both have paths where they do a > forced unlink() followed by an open(). This open() can easily use O_EXCL= ). Interesting. I was sure it won't work as you described, because the target file can be a symlink and open(2) by default follows symlinks. I thought that you just forget about O_NOFOLLOW flag, but it seems, that with O_EXCL open(2) doesn't follow symlinks so it will work. > mv(1) can never be trusted to use its rename() form since it uses > copying to move across file systems and there is no way to control this. > mv(1)'s rewriting of "mv file dir" to "rename file dir/file" is also > a problem (I keep rename(1) handy to avoid it). I haven't followed > most of this thread so I don't know what the attacker can do here. > Changing the target to a symlink to a directory on a different file > system would exploit both of the problems in mv. That's true. Dirk's proposal is to create a file with mktemp(1) in the same directory where we're going to rename(2) the file, but I don't think mktemp(1) will be safe here: good-guy attacker-within-a-jail cd /jail/var/log mktemp foo.XXX rm -f foo.XXX ln -s /etc/spwd.db foo.XXX copy /path/to/jail_console.log foo.XXX mv -f foo.XXX console.log --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFrJADForvXbEpPzQRAoJJAJ4phBMyAMl1ZhWnj/3r3cNeWDnChQCgoWGx TxRmmvgdjgWsVF+VOosFaXU= =vPbG -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ--