Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jai

On Tue, 16 Jan 2007, Pawel Jakub Dawidek wrote:

> On Tue, Jan 16, 2007 at 02:42:17PM +1100, Bruce Evans wrote:
>> install -S ...
>> ... can easily
>> be made both safer (actually no-clobber) and securer by opening the file
>> with O_EXCL and exiting if the file exists at the time of the open.
>> Perhaps cp -f should do the same.  (Both have paths where they do a
>> forced unlink() followed by an open().  This open() can easily use O_EXCL).
>
> Interesting. I was sure it won't work as you described, because the
> target file can be a symlink and open(2) by default follows symlinks.
> I thought that you just forget about O_NOFOLLOW flag, but it seems, that
> with O_EXCL open(2) doesn't follow symlinks so it will work.

I did forget it.  I just assumed that doing the same thing as mkstemp()
is as secure as possible, and it is.  Old versions of mkstemp() couldn't
use O_NOFOLLOW since O_NOFOLLOW has only existed since Y2K.  New
versions don't use it because it is unnecessary.  Exclusive access
isn't enough for security since if open() followed a dangling link it
would create a security hole with (O_CREAT | O_EXCL).  But there is
no problem since O_EXCL implies not following symlinks even if O_NOFOLLOW
is not supported.  This is documented in open(2) and better documented
in POSIX.

Bruce
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"