diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2010-04-01 16:12:29 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-04-06 14:33:43 -0400 |
commit | 55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9 (patch) | |
tree | 0ad879883ea70686ca9a3caf012b29413b3315a5 /src/util/util.h | |
parent | 3bd250d73e7d77cf8ceb72133ce13059c52a70ed (diff) | |
download | sssd-55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9.tar.gz sssd-55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9.tar.xz sssd-55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9.zip |
Protect against check-and-open race conditions
There is a small window between running lstat() on a filename and
opening it where it's possible for the file to have been modified.
We were protecting against this by saving the stat data from the
original file and verifying that it was the same file (by device
and inode) when we opened it again, but this is an imperfect
solution, as it is still possible for an attacker to modify the
permissions during this window.
It is much better to simply open the file and test on the active
file descriptor.
Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as
without the initial lstat, we are implicitly accepting symlinks
and only verifying the target file.
Diffstat (limited to 'src/util/util.h')
-rw-r--r-- | src/util/util.h | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/util/util.h b/src/util/util.h index db8e1ac33..fae8096a9 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -268,9 +268,38 @@ enum check_file_type { CHECK_LNK, CHECK_SOCK }; + +/* check_file() + * Verify that a file has certain permissions and/or is of a certain + * file type. This function can be used to determine if a file is a + * symlink. + * Warning: use of this function implies a potential race condition + * Opening a file before or after checking it does NOT guarantee that + * it is still the same file. Additional checks should be performed + * on the caller_stat_buf to ensure that it has the same device and + * inode to minimize impact. Permission changes may have occurred, + * however. + */ errno_t check_file(const char *filename, const int uid, const int gid, const int mode, enum check_file_type type, struct stat *caller_stat_buf); + +/* check_fd() + * Verify that an open file descriptor has certain permissions and/or + * is of a certain file type. This function CANNOT detect symlinks, + * as the file is already open and symlinks have been traversed. This + * is the safer way to perform file checks and should be preferred + * over check_file for nearly all situations. + */ +errno_t check_fd(int fd, const int uid, const int gid, + const int mode, enum check_file_type type, + struct stat *caller_stat_buf); + +/* check_and_open_readonly() + * Utility function to open a file and verify that it has certain + * permissions and is of a certain file type. This function wraps + * check_fd(), and is considered race-condition safe. + */ errno_t check_and_open_readonly(const char *filename, int *fd, const uid_t uid, const gid_t gid, const mode_t mode, enum check_file_type type); |