User: Password:
|
|
Subscribe / Log in / New account

Checking for sticky bit

Checking for sticky bit

Posted Mar 3, 2011 10:36 UTC (Thu) by epa (subscriber, #39769)
Parent article: Seunshare, /tmp directories, and the "sticky" bit

I suppose if a program is written with the assumption that /tmp has the sticky bit set, then this assumption should be embedded in the code.

Simply checking the permissions on /tmp before you start is not good enough because it has all the usual race conditions. There would need to be some additional flags to open() to specify 'I expect the containing directory to have the following permissions'.


(Log in to post comments)

Checking for sticky bit

Posted Mar 3, 2011 14:28 UTC (Thu) by nix (subscriber, #2304) [Link]

Unfortunately to handle all cases you need to check more than that. You need to verify that *all containing directories* also either have those permissions or are not writable by the euid, or the attacker can just rename the whole subtree out from under you and create a new one that doesn't have the sticky bit set. (This is rarely a problem with /tmp, but is the reason why e.g. sshd requires that your home directory not be writable by group or other before it will look at your ~/.ssh directory.)

Checking for sticky bit

Posted Mar 3, 2011 15:08 UTC (Thu) by epa (subscriber, #39769) [Link]

You need to verify that *all containing directories* also either have those permissions or are not writable by the euid, or the attacker can just rename the whole subtree out from under you and create a new one that doesn't have the sticky bit set.
Perhaps the problem is the use of filenames in the API rather than descriptors. If you first open() the directory to get an fd for that directory, and then create a file relative to that directory, you wouldn't have to worry about renaming attacks. This is the reason why file descriptors exist rather than passing around filenames everywhere, but it hasn't been taken to its logical conclusion and applied everywhere.

(If there is a variant of open() or creat() that takes a directory as a file descriptor, please educate me.)

Checking for sticky bit

Posted Mar 3, 2011 15:15 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

> (If there is a variant of open() or creat() that takes a directory as a file descriptor, please educate me.)

man 2 openat


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds