List:Packagers« Previous MessageNext Message »
From:Lenz Grimmer Date:March 13 2003 1:46pm
Subject:Re: [packagers] Re: MySQL user can be changed to root (fwd)
View as plain text  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Thu, 13 Mar 2003, Dmitry V. Levin wrote:

> Too late, I've already made the patch myself.

OK. Sorry about that.

> Btw, your patch introduces TOCTOU race condition:
>
> > @@ -241,6 +242,16 @@
> >    {
> >      strmov(name,config_file);
> >    }
> > +  fn_format(name,name,"","",4);
> > +#if !defined(__WIN__) && !defined(OS2)
> > +  {
> > +    MY_STAT stat_info;
> > +    if (!my_stat(name,&stat_info,MYF(MY_WME)))
> > +      return 0;
> > +    if (stat_info.st_mode & S_IWOTH) /* ignore world-writeable files */
> > +      return 0;
> > +  }
> > +#endif
> >    if (!(fp = my_fopen(fn_format(name,name,"","",4),O_RDONLY,MYF(0))))
> >      return 0;					/* Ignore wrong files */
> >
>
> I'd recommend to replace this construction with my_fopen/my_fstat if at
> all possible.

I had to read up about this acronym first :)

Anyway, even though the current patch indeed allows one to change the file
permissions between time of check and time of use, it's a hypothetical
issue. Only the file owner can change the permissions! A malicious user
would need to be the owner of that file, before he could do that.

So I am not sure, if we would gain anything here by using
my_fstat/my_fopen. Serg, any additional comment?

Bye,
	LenZ
- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /      Mr. Lenz Grimmer <lenz@stripped>
 / /|_/ / // /\ \/ /_/ / /__     MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/     Hamburg, Germany
       <___/   www.mysql.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+cIujSVDhKrJykfIRAkPgAJ4+LZYeD8TbiIBqvc41LoW1TrLs+wCfcX81
rm5MXRr9fEfggDUN5sQBggc=
=ilt0
-----END PGP SIGNATURE-----
Thread
Re: MySQL user can be changed to root (fwd)Lenz Grimmer10 Mar
  • mysql_install_db patch to support both mysqld-max and mysqldWarly12 Mar
    • Re: mysql_install_db patch to support both mysqld-max and mysqldLenz Grimmer13 Mar
      • Re: mysql_install_db patch to support both mysqld-max and mysqldWarly13 Mar
  • Re: [packagers] Re: MySQL user can be changed to root (fwd)Lenz Grimmer13 Mar
    • Re: [packagers] Re: MySQL user can be changed to root (fwd)Dmitry V. Levin13 Mar
      • Re: [packagers] Re: MySQL user can be changed to root (fwd)Lenz Grimmer13 Mar
        • Re: [packagers] Re: MySQL user can be changed to root (fwd)Dmitry V. Levin13 Mar
          • Re: [packagers] Re: MySQL user can be changed to root (fwd)Sergei Golubchik13 Mar
            • Re: [packagers] Re: MySQL user can be changed to root (fwd)Dmitry V. Levin13 Mar
              • Re: [packagers] Re: MySQL user can be changed to root (fwd)Sergei Golubchik13 Mar
                • Re: [packagers] Re: MySQL user can be changed to root (fwd)Dmitry V. Levin13 Mar
                  • Re: [packagers] Re: MySQL user can be changed to root (fwd)Sergei Golubchik13 Mar
                    • Re: [packagers] Re: MySQL user can be changed to root (fwd)Dmitry V. Levin13 Mar