aboutsummaryrefslogtreecommitdiff
path: root/include/busybox.h
diff options
context:
space:
mode:
authorRob Landley <rob@landley.net>2005-05-18 05:56:16 +0000
committerRob Landley <rob@landley.net>2005-05-18 05:56:16 +0000
commit5797c7f0ef93f3efd0ba6634640f9591716214e3 (patch)
tree76722f5b18215592a6b9c7c36693812df84cf3d8 /include/busybox.h
parent1fb7961e081f43fcfdb12bc588cc294115841f9c (diff)
downloadbusybox-5797c7f0ef93f3efd0ba6634640f9591716214e3.tar.gz
Doug Swarin pointed out a security bug in the -i option of sed.
While the permissions on the temp file are correct to prevent it from being maliciously mangled by passing strangers, (created with 600, opened O_EXCL, etc), the permissions on the _directory_ might not be, and we re-open the file to convert the filehandle to a FILE * (and automatically get an error message and exit if the directory's read-only or out of space or some such). This opens a potential race condition if somebody's using dnotify on the directory, deletes/renames the tempfile, and drops a symlink or something there. Somebody running sed -i as root in a world writeable directory could do damage. I dug up notes on an earlier discussion where we looked at the security implications of this (unfortunately on the #uclibc channel rather than email; I don't have a transcript, just notes-to-self) which pointed out that if the permissions on the directory allow other people's files to be deleted/renamed then the original file is vulnerable to sabotage anyway. However, there are two cases that discussion apparently didn't take into account: 1) Using another user's permissions to damage files in other directories you can't access (standard symlink attack). 2) Reading data another user couldn't otherwise access by having the new file belong to that other user. This patch uses fdopen to convert the filehandle into a FILE *, rather than reopening the file.
Diffstat (limited to 'include/busybox.h')
0 files changed, 0 insertions, 0 deletions