Re: dynamic /dev security hole?

From: Michael Buesch
Date: Mon Aug 09 2004 - 12:16:36 EST

Next message: Greg KH: "Re: 2.6.8-rc2-mm1: bluetooth broken?"
Previous message: Matti Aarnio: "Re: AES assembler optimizations"
In reply to: Eric Lammerts: "Re: dynamic /dev security hole?"
Next in thread: Greg KH: "Re: dynamic /dev security hole?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Eric Lammerts <eric@xxxxxxxxxxxx>:
> Better not do it for symlinks.

Yes, you're right.

===== udev-remove.c 1.31 vs edited =====
- --- 1.31/udev-remove.c 2004-04-01 04:12:56 +02:00
+++ edited/udev-remove.c 2004-08-09 19:12:55 +02:00
@@ -65,6 +65,41 @@
return 0;
}

+/** Remove all permissions on the device node, before
+ * unlinking it. This fixes a security issue.
+ * If the user created a hard-link to the device node,
+ * he can't use it any longer, because he lost permission
+ * to do so.
+ */
+static int secure_unlink(const char *filename)
+{
+ int retval;
+
+ retval = chown(filename, 0, 0);
+ if (retval) {
+ dbg("chown(%s, 0, 0) failed with error '%s'",
+ filename, strerror(errno));
+ /* We continue nevertheless.
+ * I think it's very unlikely for chown
+ * to fail here, if the file exists.
+ */
+ }
+ retval = chmod(filename, 0000);
+ if (retval) {
+ dbg("chmod(%s, 0000) failed with error '%s'",
+ filename, strerror(errno));
+ /* We continue nevertheless. */
+ }
+ retval = unlink(filename);
+ if (errno == ENOENT)
+ retval = 0;
+ if (retval) {
+ dbg("unlink(%s) failed with error '%s'",
+ filename, strerror(errno));
+ }
+ return retval;
+}
+
static int delete_node(struct udevice *dev)
{
char filename[NAME_SIZE];
@@ -79,14 +114,9 @@
strfieldcat(filename, dev->name);

info("removing device node '%s'", filename);
- - retval = unlink(filename);
- - if (errno == ENOENT)
- - retval = 0;
- - if (retval) {
- - dbg("unlink(%s) failed with error '%s'",
- - filename, strerror(errno));
+ retval = secure_unlink(filename);
+ if (retval)
return retval;
- - }

/* remove partition nodes */
if (dev->partitions > 0) {
@@ -94,7 +124,7 @@
for (i = 1; i <= dev->partitions; i++) {
strfieldcpy(partitionname, filename);
strintcat(partitionname, i);
- - unlink(partitionname);
+ secure_unlink(partitionname);
}
}

- --
Regards Michael Buesch [ http://www.tuxsoft.de.vu ]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBF7DoFGK1OIvVOP4RAklbAJ0QXZkfiDOExHqTXpue+mKJCeIBHwCgwzAa
3V4LF0jNgiDyXbm6rw4wxqI=
=wXmk
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "Re: 2.6.8-rc2-mm1: bluetooth broken?"
Previous message: Matti Aarnio: "Re: AES assembler optimizations"
In reply to: Eric Lammerts: "Re: dynamic /dev security hole?"
Next in thread: Greg KH: "Re: dynamic /dev security hole?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]