On Thu, Mar 13, 2003 at 06:25:59PM +0100, Sergei Golubchik wrote:
> > > > > So I am not sure, if we would gain anything here by using
> fstat()
> > > >
> > > > You'll get a bit more secure code. :)
> > >
> > > I cannot see how fstat() can make the code even slightly secure.
> > > What is the scenario where changing stat() to fstat() can help ?
> >
> > It's quite common case:
> > When you call stat before open, there is a race; attacker with rights of
> > mysql user may subvert the file right after the check, and make root to
> > follow his evil instructions.
>
> Nope - it's just general words, they do not apply to this case.
> It attacker has rights of mysql nothing prevents him from altering file
> content and setting proper permissions before any check.
Unless corresponding files and directories are owned by root.
If attacker owns the directory, he can just subvert the file.
If attacker owns the file, he can subvert its content.
Using fstat together with st_uid check closes these issues, too.
After all, let's try to avoid potentially raceable constructions.
--
ldv
Attachment: [application/pgp-signature]
