On Thu, Jan 13, 2000 at 01:03:25AM +0100, Krzysztof Halasa wrote:
> "Sean Hunter" <sean@uncarved.co.uk> writes:
>
> > You run your program, but I have created a simlink in /tmp with the
> > same name (because the name is guessable).
>
> It is independent of PIDs being guessable or not. With really random
> PIDs you can still create link(s) in /tmp and after some number of tries
> you can win the race (especially when you can execute the suid program
> in question yourself).
>
> 32 bits would be some help here, but that doesn't fixes the problem,
> only makes you wait longer.
But than again, that's the same principle of all encryption (Except onetimepad
XOR). The secret is available, you just have to do incredible amounts of work
to get it.
Still, you could just fill /tmp with all the possible pid-tempfile-symlinks,
no need to retry for each possibility. (Although this would be harder with 32
bit pids).
But all in all, a broken program is a broken program. Period.
Imho, just random filenames isn't enough either, I assume it's allways possible
to check if a file/symlink with the chosen name exists, right? So just start
with /tmp/tempfile-[pid]-1 (the pid to stop the slight nuisance of several
programs all searching the same namespace), and if it exists try
/tmp/tempfile-[pid]-2, etc.
--Frank v Waveren fvw@var.cx ICQ# 10074100
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jan 15 2000 - 21:00:22 EST