From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: gaetan.leurent@ens.fr (=?iso-8859-1?Q?Ga=EBtan?= LEURENT) Newsgroups: gmane.emacs.devel Subject: Re: Race-condition ? Date: Fri, 24 Jun 2005 22:46:59 +0200 Message-ID: References: Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: sea.gmane.org 1119646791 25316 80.91.229.2 (24 Jun 2005 20:59:51 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Fri, 24 Jun 2005 20:59:51 +0000 (UTC) Cc: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jun 24 22:59:48 2005 Return-path: Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1DlvH4-0004hZ-Ba for ged-emacs-devel@m.gmane.org; Fri, 24 Jun 2005 22:59:42 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1DlvOA-0004EQ-EX for ged-emacs-devel@m.gmane.org; Fri, 24 Jun 2005 17:07:02 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1DlvLl-0003N3-So for emacs-devel@gnu.org; Fri, 24 Jun 2005 17:04:34 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1DlvLk-0003M3-81 for emacs-devel@gnu.org; Fri, 24 Jun 2005 17:04:32 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1DlvKs-0002cZ-4L for emacs-devel@gnu.org; Fri, 24 Jun 2005 17:03:38 -0400 Original-Received: from [129.199.96.40] (helo=nef2.ens.fr) by monty-python.gnu.org with esmtp (Exim 4.34) id 1Dlv8N-0002V9-C1; Fri, 24 Jun 2005 16:50:43 -0400 Original-Received: from clipper.ens.fr (clipper-gw.ens.fr [129.199.1.22]) by nef2.ens.fr (8.13.2/1.01.28121999) with ESMTP id j5OKkxPd035617 ; Fri, 24 Jun 2005 22:46:59 +0200 (CEST) X-Envelope-To: eliz@gnu.org Original-Received: from (leurent@localhost) by clipper.ens.fr (8.13.1/jb-1.1) X-Authentication-Warning: clipper.ens.fr: leurent set sender to gaetan.leurent@ens.fr using -f Original-To: Eli Zaretskii X-Start-Date: Fri, 24 Jun 2005 22:05:09 +0200 X-Spook: Semtex infowar North Korea Sundevil e-cash enforcers Kh-11 top secret nitrate propaganda offensive information warfare Commecen Glock corporate security interception In-Reply-To: (Eli Zaretskii's message of "Fri, 24 Jun 2005 22:07:35 +0200") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (usg-unix-v) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.10 (nef2.ens.fr [129.199.96.32]); Fri, 24 Jun 2005 22:46:59 +0200 (CEST) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:39456 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:39456 Eli Zaretskii wrote on 24 Jun 2005 22:07:35 +0200: > So? What problems would that cause, except defeating the call to > chown itself? Previous versions of Emacs didn't call chown at all, so > how is the current version worse? > > It's possible that this race condition is harmful in the context of > bzip2, but that doesn't necessarily mean it's as harmful in Emacs. > >> I believe we should use fchown instead. > > Only if the danger is real, IMHO: fchown requires that we open the > file, which is expensive. If we go that way, we might as well check > if we are root, and only open the file and call fchown if we are: no > need to punish mere mortals if we know in advance the call will fail > for them anyway. I guess I haven't been clear enough. The scenario is: - Suppose the users have two directory in two different drives. For instance in /home which is a small drive with frequent backups, and in /large which is a large drive without backups. - Now, root is using emacs. He decides to move the file /home/joe/somefile to /large/joe/somefile because it takes too much place on the small drive. - Since /home and /large are on different filesystems, emacs will copy the content of /home/joe/somefile to /large/joe/somefile and will then call chown on /large/joe/somefile. - But joe is a bad guy, and while emacs is copying the file, he removes /large/joe/somefile and replaces it with a hardlink to /large/root/importantfile (possibly /etc/passwd if it's on the same drive). - When emacs finishes to copy the file, it call chown on /large/joe/somefile, and joe now owns /large/root/importantfile. The problem is that chown takes a path as argument, and paths are not safe in a Unix environment. What we must do is use fchown which takes a filedescriptor as argument, and give it the fd we got *when we opened the new file in the first place*. We must not close the file before we call fchown, and we must not open it second time. This induce no additional cost and it is the only way to be sure we are dealing with the same file. You can build the same kind of attack with chmod. The attack is not very likely because it requires that the target directory is writable by the victim and by the attacker, which can happen it root is playing with someone else's file or if the victim is doing things in a world writable directory, but it the same as the one that was found in bzip2. > Anyway, how portable are fchown and fchmod? If not all platforms > support them, we shouldn't introduce them without an Autoconf test. According to Linux's man files: # The fchmod call conforms to 4.4BSD and SVr4. SVr4 documents additional # EINTR and ENOLINK error conditions. POSIX requires the fchmod function # if at least one of _POSIX_MAPPED_FILES and _POSIX_SHARED_MEMORY_OBJECTS # is defined, and documents additional ENOSYS and EINVAL error condi- # tions, but does not document EIO. If a platform does not support them, I think we should not try to change access permissions and/or file owner at all on these platforms. --=20 Ga=EBtan LEURENT