Re: [Lcd4linux-devel] make lcd4linux secure!

[Michael R. <re...@eu...>]

Hi Xavier,

>>1. the temp file is opened with O_CREAT. If a symlink is already 
>>present, it's target will be overwritten. Some security HOWTO's say one 
>>should use O_CREAT|O_EXCL, which means that the call will fail if the 
>>file already exists. OTOH, the open(2) man page states that thios 
>>doesn't work over NFS :-(
>>2. the rename() will overwrite a symlink, too.
> 
> 
> Maybe you should do it like I did in plugin_i2c_sensors to check we have
> a directory :
> it did "if ((dir->d_type!=DT_DIR && dir->d_type!=DT_LNK)" to check if
> it's a dir or a symlink. You should check if it isN'T a symlink but a
> true file. I don't know how to get this d_type for a special file, I did
> it with readdir.

Yes, that's easy, but contains a race conditions:

if (file exists and/or is a symlink) {
    unlink (file)
}
open (file, O_CREAT)

This one looks clean, doesn't it? But there's a small window just before 
the open() call, where a hacker could create the symlink, and it's 
contents would be overwritten by lcd4linux.

You absolutely _have to_ use atomic operations here.


bye, Michael

-- 
Michael Reinelt                                   Tel: +43 676 3079941
Geisslergasse 4                                   Fax: +43 316  692343
A-8045 Graz, Austria                          e-mail: re...@eu...