Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id PAA09693; Tue, 7 Mar 2006 15:38:13 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id k27KbfgQ010913 for ; Tue, 7 Mar 2006 15:37:41 -0500 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id k272ibgQ028060 for ; Mon, 6 Mar 2006 21:44:37 -0500 Received: from arioch.imrryr.org (dsl254-103-200.nyc1.dsl.speakeasy.net [216.254.103.200]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id k272iZg4008263 for ; Mon, 6 Mar 2006 21:44:36 -0500 (EST) Received: from imrryr.org (localhost [127.0.0.1]) by arioch.imrryr.org (Postfix) with ESMTP id 20D2F37011 for ; Mon, 6 Mar 2006 21:44:01 -0500 (EST) To: krb5-bugs@mit.edu Subject: race opening/creating replay cache. Organization: The Fall of Imrryr User-Agent: nmh-1.0.4 (NetBSD/alpha) X-Copyright: Copyright 2005, R. C. Dowdeswell. All Rights Reserved. X-Window-System: Release 6.3 Date: Mon, 06 Mar 2006 21:44:01 -0500 From: Roland Dowdeswell Message-Id: <20060307024401.20D2F37011@arioch.imrryr.org> X-Spam-Score: -2.464 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Tue, 07 Mar 2006 15:37:40 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1717 There is a race condition in the creation of the a replay cache, or the replacement of a corrupt cache. Basically, libraries when opening a rcache do the following logic: 1. They try to open the file. a. if the open succeeds i. if the magic number matches, return success ii. if not, unlink(2) the file. 2. They try to create the file with O_CREAT|O_EXCL. 3. They write the magic number in it. Of course, if you have 2 processes doing this there is room for: There exists a time t s.t. both processes complete (1) before t and start (2) after t. In this case, one of them will fail if either the file did not exist or was malformed---i.e. had the wrong magic number in it. This can be reproduced by running the following program: /* $Id$ */ #include #include #include #define PRINC_NAME "race" #define K5BAIL(x) do { \ code = (x); \ if (code) { \ fprintf(stderr, "%s: %s\n", #x, \ error_message(code)); \ exit(EXIT_FAILURE); \ } \ } while(0) /*ARGSUSED*/ int main(int argc, char **argv) { krb5_context ctx; krb5_error_code code; krb5_rcache rcache; krb5_data piece; piece.data = strdup(PRINC_NAME); piece.length = strlen(piece.data); K5BAIL(krb5_init_context(&ctx)); K5BAIL(krb5_get_server_rcache(ctx, &piece, &rcache)); return 0; } To reproduce: 1. Run it under gdb(1), set a break point in krb5_rc_io_open(), 2. Step until you unlink the file, 3. Run another copy of the program, 4. continue the first one, and 5. Note that it fails. With the rather unhelpful error ``permission denied''. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/