Suppose you do something like this:
unless ( -l "foo" ) { open( FH, ">>foo" ) or die "foo: $!"; } die "Link attack detected" if ( -l "foo" );
How does that fail to provide the protection that your script, in its heart of hearts, really wants to provide? I realize that if the symlink gets created during that very brief period of vulnerability, and happens to point to a non-existent file in a valid directory path (with write permission for the effective uid), then a new file will be created according to the name that the abuser has assigned as the symlink's target.
So (sorry, I am honestly naive here) what? Except for that one scenario, it seems to me that no situation arises where any change is made to any file or directory. If the malicious symlink points to an existing data file, the script will die before actually altering that file; if the symlink points to a non-existant directory, the open call itself would fail; creating the symlink too soon will be trapped by the "unless ( -l )", and trying to create too late will fail.
Just in that one specific scenario, a zero-length file could be created, owned by the effective uid of the script -- but nothing will be written to it, the script dies, and whoever was trying the exploit would need a different suid tool to put any data in that file (assuming a proper umask was in place when your script ran).
What am I missing?
In reply to Re: opening files: link checking and race conditions
by graff
in thread opening files: link checking and race conditions
by danderson
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |