Re: Bug#20241: Timezones should depend on debian-utils
Manoj Srivastava wrote:
> Where? Have you seen the exploitation mentioned somewhere, or
> is this wishful thinking? I have seeen how the race conditions are
> exploited. This is not one of them. Have you really looked at thi, or
> is this a knee jerk reaction?
I could exploit it: In peudo-code:
while (dpkg is not running)
sleep 1
done
fork 100 copies of self
while true; do
for 1 to 65525; do
create symlink expolit in /tmp
done
done
This assumes that dpkg takes over 1 second to start up on the target system.
Until dpkg runs, the program just sits there as soon as dpkg runs, it takes
over most of the system by forking multiple copies, and then it attempts to
explit the race condition. There's a decent chance it will succeed, since
your shell script is now running very slowly, and there's plenty of time to
get the symlink made.
If you want real-life examples, as opposed to my feeble one, I suggest you
check the archives of bugtrack for plenty of examples.
> Joey> A safe way to make a /tmp file:
>
> Joey> mkdir /tmp/tmpdir || {
> >> You can replace this with something else if you like, perhaps
> >> something that tries another directory name.
> Joey> echo unable to create temporary directory. Giving up. exit 1
> >>
> Joey> tmpfile=/tmp/tmpdir.$$/tmpfile
>
> Joey> mkdir will abort if /tmp/tmpdir.$$ alreay exists, and is atomic
> Joey> so it cannot be raced. (Warning: I am not a security
> Joey> expert. However, I've seen this explained several times in the
> Joey> past and I'm pretty sure this is the proper way to do it.)
>
> This suffers from more of a window than my method does.
> rm -f $TEMPFILE && touch $TEMPFILE is safer than this.
Explain why.
--
see shy jo
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: