User: Password:
|
|
Subscribe / Log in / New account

Checking for sticky bit

Checking for sticky bit

Posted Mar 3, 2011 14:28 UTC (Thu) by nix (subscriber, #2304)
In reply to: Checking for sticky bit by epa
Parent article: Seunshare, /tmp directories, and the "sticky" bit

Unfortunately to handle all cases you need to check more than that. You need to verify that *all containing directories* also either have those permissions or are not writable by the euid, or the attacker can just rename the whole subtree out from under you and create a new one that doesn't have the sticky bit set. (This is rarely a problem with /tmp, but is the reason why e.g. sshd requires that your home directory not be writable by group or other before it will look at your ~/.ssh directory.)


(Log in to post comments)

Checking for sticky bit

Posted Mar 3, 2011 15:08 UTC (Thu) by epa (subscriber, #39769) [Link]

You need to verify that *all containing directories* also either have those permissions or are not writable by the euid, or the attacker can just rename the whole subtree out from under you and create a new one that doesn't have the sticky bit set.
Perhaps the problem is the use of filenames in the API rather than descriptors. If you first open() the directory to get an fd for that directory, and then create a file relative to that directory, you wouldn't have to worry about renaming attacks. This is the reason why file descriptors exist rather than passing around filenames everywhere, but it hasn't been taken to its logical conclusion and applied everywhere.

(If there is a variant of open() or creat() that takes a directory as a file descriptor, please educate me.)

Checking for sticky bit

Posted Mar 3, 2011 15:15 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

> (If there is a variant of open() or creat() that takes a directory as a file descriptor, please educate me.)

man 2 openat


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds