From: Amon Ott <ao@rsbac.org>
Subject: Re: BUG! sys_rename()
Date: Thu, 31 May 2001 10:51:17 +0200
Next Article (by Author): Pre-Fix for rename hole Amon Ott
Previous Article (by Author): patch-2.4.5-v1.1.1.gz uploaded to /pre dir Amon Ott
Top of Thread: BUG! sys_rename() Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]
On Mit, 30 Mai 2001 Stanislav Ievlev wrote: > There is a serious bug: > > In sys_rename() syscall RSBAC check only parent dir for R_WRITE, but we > need to check new file (if it exists) for R_DELETE. > > ------------------- > Simple exploit: > /tmp/old - file protected by FF (or ACL) as "read_only" > 1. create /tmp/test > 2. rename /tmp/test into /tmp/old will be GRANTED!!! > 3(!). new /tmp/old unprotected now > > -------------------- > So we can: > 1. copy /tmp/old into /tmp/test > 2. rename /tmp/test into /tmp/old > As a result we have unprotected file /tmp/old > > > I've created an example patch to solve this problem. See attach. You are right, this must be fixed and your solution looks right. I will change it in the next pre, together with a patch to change_root for initrd etc. Amon. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Author): Pre-Fix for rename hole Amon Ott
Previous Article (by Author): patch-2.4.5-v1.1.1.gz uploaded to /pre dir Amon Ott
Top of Thread: BUG! sys_rename() Stanislav Ievlev
Articles sorted by: [Date]
[Author]
[Subject]