LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Checking for sticky bit

Checking for sticky bit

Posted Mar 3, 2011 15:08 UTC (Thu) by epa (subscriber, #39769)
In reply to: Checking for sticky bit by nix
Parent article: Seunshare, /tmp directories, and the "sticky" bit

You need to verify that *all containing directories* also either have those permissions or are not writable by the euid, or the attacker can just rename the whole subtree out from under you and create a new one that doesn't have the sticky bit set.
Perhaps the problem is the use of filenames in the API rather than descriptors. If you first open() the directory to get an fd for that directory, and then create a file relative to that directory, you wouldn't have to worry about renaming attacks. This is the reason why file descriptors exist rather than passing around filenames everywhere, but it hasn't been taken to its logical conclusion and applied everywhere.

(If there is a variant of open() or creat() that takes a directory as a file descriptor, please educate me.)

(Log in to post comments)

Checking for sticky bit

Posted Mar 3, 2011 15:15 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

> (If there is a variant of open() or creat() that takes a directory as a file descriptor, please educate me.)

man 2 openat

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds