Subject: Re: make advisory
To: David Brownlee <abs@mono.org>
From: Brian C. Grayson <bgrayson@marvin.ece.utexas.edu>
List: tech-security
Date: 01/25/2000 01:15:22
by redmail.netbsd.org with SMTP; 25 Jan 2000 07:15:27 -0000
Message-ID: <20000125011522.A1713@marvin.ece.utexas.edu>
Date: Tue, 25 Jan 2000 01:15:22 -0600
From: "Brian C. Grayson" <bgrayson@marvin.ece.utexas.edu>
To: David Brownlee <abs@mono.org>, tech-security@netbsd.org
Subject: Re: make advisory
Reply-To: bgrayson@netbsd.org
References: <Pine.NEB.4.21.0001210042480.621-100000@oblivion.mono.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <Pine.NEB.4.21.0001210042480.621-100000@oblivion.mono.org>; from David Brownlee on Fri, Jan 21, 2000 at 12:43:24AM +0000
On Fri, Jan 21, 2000 at 12:43:24AM +0000, David Brownlee wrote:
...
> However make(1) uses the temporary file in an insecure way, repeatedly
> deleting and reusing the same file name for the entire life of the
> program. This makes it vulnerable to a race condition wherein a
> malicious user could observe the name of the temporary file being
> used, and replace the contents of a later instance of the file with
> her desired commands after the legitimate commands have been written.
If the temp file is mode 644, how could malicious, unprivileged
user B modify it after it has been written, but before it has
been read? Plus, doesn't it make it difficult for it to be a
hole if the file is never closed before forking, and the child
only does a rewind? Am I missing something? :)
Brian