Subject: Re: per-user /tmp
To: None <tech-security@netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: tech-security
Date: 02/03/2007 20:52:40
Elad Efrat wrote:
> Christian Biere wrote:
> > In order to prevent unintentionally donating a file or directory when
> > mkdir() fails.
 
> can you elaborate on what you mean?

Is this a trick question? If you already know that it's not possible, then
say so. No, I haven't analyzed this code fully but when I see this pattern

mkdir()
chown()

I realize that there is a race condition between these two system calls.
It might be impossible to exploit this as long as everything is correctly
configured but if not then not. Next comes "we sell rope", issue resolved.
 
> > Well, bug or feature? Isn't that inconsistent if some tools/features only
> > consider the UID whereas others use the login?

> did you look at the code before you made any of these comments?

No.

> the
> kernel knows about numbers, not about their translation to strings
> as dictated by /etc/passwd.

I assumed if systrace respects $USER, the same might somehow be possible for
magic symlinks as well. I guess it isn't, fine by me.

-- 
Christian