tech-kern: Re: CRITICAL ** Holes in default cron jobs ** CRITICAL

Subject: Re: CRITICAL ** Holes in default cron jobs ** CRITICAL
To: None <tech-kern@NetBSD.ORG>
From: der Mouse <mouse@Holo.Rodents.Montreal.QC.CA>
List: tech-kern
Date: 01/02/1997 11:27:02

> (I also didn't see your example.)

Oh, that would explain it.  (I thought I recognized your quote as being
from the same message in which I gave that example, but there wasn't
enough context to be sure.  My (wetware) memory needs ecc bits. :-)

> [In reference to having more directory levels than file descriptors.]
>> So even if you were willing to go to the trouble of doing the
>> filesystem walk with fchdir(), the code complexity would quickly get
>> - in my opinion - unmanageable.

> The code would probably be encapsulated in the fts_*() calls,

True...which doesn't simplify it any.  May even complicate it,
especially if you don't want fts_*() to run its client out of file
descriptors.

> I admit that I haven't tried out an implementation yet or thought
> through all of the consequences, but if you use chdir("..") instead
> of holding onto a file descriptor to all of the parent directories, I
> don't think you need to use more than one file descriptor at a time.

But chdir()ing through .. is just what you can't do, or you can wind up
in an arbitrary unexpected place about which all you know is that it's
on the same filesystem you started from (assuming a few reasonable
things about who can do mounts and umounts and who owns mount points),
and if you do a second chdir("..") before recovering you don't know
even that much.  Er, not quite - you do know that if you wind up
someplace unexpected, it's someplace the attacker had write access to
at some point between your descent and your ascent.  (I don't see how
knowing this could be useful; I'm being a bit pedantic.)

Unless you chown directories to root and chmod them go-w on the way
down and put them back on the way up, so that the putative attacker
can't switch things out from under you...which is something I don't
consider a reasonable alternative.

Of course, you can _detect_ having been tricked when you chdir("..");
it's just not clear to me what you can _do_ about it - especially if
you're stuck in a library routine like fts_*() where you don't know
whether the appropriate action is plowing bravely on, a silent exit, a
noisy exit, or something else (perhaps a syslog message plus carrying
on)....

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B