Checking for sticky bit
Posted Mar 3, 2011 15:08 UTC (Thu) by epa
In reply to: Checking for sticky bit
Parent article: Seunshare, /tmp directories, and the "sticky" bit
You need to verify that *all containing directories* also either have those permissions or are not writable by the euid, or the attacker can just rename the whole subtree out from under you and create a new one that doesn't have the sticky bit set.
Perhaps the problem is the use of filenames in the API rather than descriptors. If you first open() the directory to get an fd for that directory, and then create a file relative to that directory, you wouldn't have to worry about renaming attacks. This is the reason why file descriptors exist rather than passing around filenames everywhere, but it hasn't been taken to its logical conclusion and applied everywhere.
(If there is a variant of open() or creat() that takes a directory as a file descriptor, please educate me.)
to post comments)