From 55a0f220ba8b35d7ea8e47ad19babdb05dd2bbe9 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 1 Apr 2010 16:12:29 -0400 Subject: Protect against check-and-open race conditions There is a small window between running lstat() on a filename and opening it where it's possible for the file to have been modified. We were protecting against this by saving the stat data from the original file and verifying that it was the same file (by device and inode) when we opened it again, but this is an imperfect solution, as it is still possible for an attacker to modify the permissions during this window. It is much better to simply open the file and test on the active file descriptor. Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as without the initial lstat, we are implicitly accepting symlinks and only verifying the target file. --- src/tests/check_and_open-tests.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/tests/check_and_open-tests.c') diff --git a/src/tests/check_and_open-tests.c b/src/tests/check_and_open-tests.c index 7ec8f3bc..e3d98868 100644 --- a/src/tests/check_and_open-tests.c +++ b/src/tests/check_and_open-tests.c @@ -100,11 +100,11 @@ START_TEST(test_symlink) ret = symlink(filename, newpath); fail_unless(ret == 0, "symlink failed [%d][%s]", ret, strerror(ret)); - ret = check_and_open_readonly(newpath, &fd, uid, gid, mode, CHECK_REG); + ret = check_file(newpath, uid, gid, mode, CHECK_REG, NULL); unlink(newpath); + fail_unless(ret == EINVAL, "check_and_open_readonly succeeded on symlink"); - fail_unless(fd == -1, "check_and_open_readonly file descriptor not -1"); } END_TEST -- cgit