Re: BUG! sys_rename()


From: Amon Ott <ao@rsbac.org>
Subject: Re: BUG! sys_rename()
Date: Thu, 31 May 2001 10:51:17 +0200

Next Article (by Author): Pre-Fix for rename hole Amon Ott
Previous Article (by Author): patch-2.4.5-v1.1.1.gz uploaded to /pre dir Amon Ott
Top of Thread: BUG! sys_rename() Stanislav Ievlev
Articles sorted by: [Date] [Author] [Subject]


On Mit, 30 Mai 2001 Stanislav Ievlev wrote:
> There is a serious bug:
> 
> In sys_rename() syscall RSBAC check only parent dir for R_WRITE, but we 
> need to check new file (if it exists) for R_DELETE.
> 
> -------------------
> Simple exploit:
> /tmp/old - file protected by FF (or ACL) as "read_only"
> 1. create /tmp/test
> 2. rename /tmp/test into /tmp/old will be GRANTED!!!
> 3(!). new /tmp/old unprotected now
> 
> --------------------
> So we can:
> 1. copy /tmp/old into /tmp/test
> 2. rename /tmp/test into /tmp/old
> As a result we have unprotected file /tmp/old
> 
> 
> I've created an example patch to solve this problem. See attach.

You are right, this must be fixed and your solution looks right. I will change
it in the next pre, together with a patch to change_root for initrd etc.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Pre-Fix for rename hole Amon Ott
Previous Article (by Author): patch-2.4.5-v1.1.1.gz uploaded to /pre dir Amon Ott
Top of Thread: BUG! sys_rename() Stanislav Ievlev
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.