From schwim@whatmore.Stanford.EDU  Wed Mar 18 20:38:36 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA24963 for <bugs@RT-11.MIT.EDU>; Wed, 18 Mar 1998 20:38:35 -0500
Received: from whatmore.Stanford.EDU by MIT.EDU with SMTP
	id AA27003; Wed, 18 Mar 98 20:39:08 EST
Received: (from schwim@localhost)
	by whatmore.Stanford.EDU (8.8.8/8.8.8) id RAA04137;
	Wed, 18 Mar 1998 17:38:33 -0800 (PST)
Message-Id: <199803190138.RAA04137@whatmore.Stanford.EDU>
Date: Wed, 18 Mar 1998 17:38:33 -0800 (PST)
From: Larry Schwimmer <schwim@whatmore.Stanford.EDU>
Cc: krb5-bugs@MIT.EDU, schwim@leland.Stanford.EDU
In-Reply-To: <199803172350.PAA29584@whatmore.Stanford.EDU> from "Larry Schwimmer" at Mar 17, 98 03:50:32 pm
Subject: Re: BUG: possible lib/krb4/tf_util.c race condition

>Number:         565
>Category:       krb5-libs
>Synopsis:       Re: BUG: possible lib/krb4/tf_util.c race condition
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mdh
>State:          closed
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Mar 18 20:39:00 EST 1998
>Last-Modified:  Thu Jul 09 18:28:27 EDT 1998
>Originator:     
>Organization:
>Release:        
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: mdh
State-Changed-When: Thu Jul  9 18:14:18 1998
State-Changed-Why:

Superseded by PR 566.

Responsible-Changed-From-To: gnats-admin->mdh
Responsible-Changed-By: mdh
Responsible-Changed-When: Thu Jul  9 18:27:04 1998
Responsible-Changed-Why:

I'll take this.

>Unformatted:
You (Larry Schwimmer) write:
> Submitter-Id:	net
> Originator:	Larry Schwimmer
> Confidential:	no
> Synopsis:	tf_init has a /tmp race condition
> Severity:	serious
> Priority:	medium
> Category:	krb5-libs
> Class:		sw-bug
> Release:	1.0.5
> Environment:	All

	Sample patch included at the end of the note.  It's basically
the same for the krb4 and krb5 distributions.

			yours,
				Larry Schwimmer
				schwim@leland.stanford.edu
				Leland Systems Group


--- lib/krb4/tf_util.c.orig	Fri Feb  6 19:44:22 1998
+++ lib/krb4/tf_util.c	Wed Mar 18 17:31:55 1998
@@ -278,10 +278,26 @@
 #endif /* TKT_SHMEM */
     
     if (wflag) {
-	fd = open(tf_name, O_RDWR, 0600);
+	fd = open(tf_name, O_RDWR|O_CREAT|O_EXCL, 0600);
 	if (fd < 0) {
 	    return TKT_FIL_ACC;
 	}
+	if (fstat(fd, &stat_buf) < 0) {
+	    (void) close(fd);
+	    fd = -1;
+	    switch (errno) {
+	    case ENOENT:
+		return NO_TKT_FIL;
+	    default:
+		return TKT_FIL_ACC;
+	    }
+	}
+	if ((stat_buf.st_uid != me && me != 0) ||
+	    ((stat_buf.st_mode & S_IFMT) != S_IFREG)) {
+	    (void) close(fd);
+	    fd = -1;
+	    return TKT_FIL_ACC;
+	}
 	if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
 	    sleep(TF_LCK_RETRY);
 	    if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
@@ -297,8 +313,24 @@
      * for read-only operations and locked for shared access. 
      */
 
-    fd = open(tf_name, O_RDONLY, 0600);
+    fd = open(tf_name, O_RDONLY|O_NONBLOCK, 0600);
     if (fd < 0) {
+	return TKT_FIL_ACC;
+    }
+    if (fstat(fd, &stat_buf) < 0) {
+	(void) close(fd);
+	fd = -1;
+	switch (errno) {
+	case ENOENT:
+	    return NO_TKT_FIL;
+	default:
+	    return TKT_FIL_ACC;
+	}
+    }
+    if ((stat_buf.st_uid != me && me != 0) ||
+	((stat_buf.st_mode & S_IFMT) != S_IFREG)) {
+	(void) close(fd);
+	fd = -1;
 	return TKT_FIL_ACC;
     }
     if (flock(fd, LOCK_SH | LOCK_NB) < 0) {