Skip Menu |
 

Download (untitled) / with headers
text/plain 4.3KiB
From papowell@dickory.sdsu.edu Fri Mar 28 19:08:09 1997
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA11511 for <bugs@RT-11.MIT.EDU>; Fri, 28 Mar 1997 19:08:00 -0500
Received: from dickory.sdsu.edu by MIT.EDU with SMTP
id AA28824; Fri, 28 Mar 97 19:07:59 EST
Received: (from papowell@localhost) by dickory.sdsu.edu (8.8.3/8.8.2) id QAA02009 for krb5-bugs@mit.edu; Fri, 28 Mar 1997 16:06:59 -0800 (PST)
Message-Id: <199703290006.QAA02009@dickory.sdsu.edu>
Date: Fri, 28 Mar 1997 16:06:59 -0800 (PST)
From: Patrick Powell <papowell@dickory.sdsu.edu>
To: krb5-bugs@MIT.EDU
Subject: bug in rcache/rc_io.c

Show quoted text
>Number: 407
>Category: pending
>Synopsis: bug in rcache/rc_io.c
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Mar 28 19:09:00 EST 1997
>Last-Modified: Mon Mar 31 19:26:00 EST 1997
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: tytso
State-Changed-When: Mon Mar 31 19:25:03 1997
State-Changed-Why: Bug fixed already; see PR# 366


From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, Patrick Powell <papowell@dickory.sdsu.edu>
Cc: gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: pending/407: bug in rcache/rc_io.c
Date: Mon, 31 Mar 1997 19:24:38 -0500

Date: Fri, 28 Mar 1997 16:06:59 -0800 (PST)
From: Patrick Powell <papowell@dickory.sdsu.edu>

Problem: /kerberos/krb5-1.0/src/lib/krb5/rcache/rc_io.c
- this routine is used to check that a cache file has been created
and has the right ownerships. The problem is that it does not
work correctly with SUID programs, and it does not check to see
that the file is really owned by the right person.

A patch to solve this problem has already been checked into our tree,
and it will be fixed in the patchlevel 1 release.

- Ted
Show quoted text
>Unformatted:
Sorry not to use the reporter, but the system I am mailing from
is not the one that has the Kerberos distribution and support.

Problem: /kerberos/krb5-1.0/src/lib/krb5/rcache/rc_io.c
- this routine is used to check that a cache file has been created
and has the right ownerships. The problem is that it does not
work correctly with SUID programs, and it does not check to see
that the file is really owned by the right person.

There is a race condition here - the file is 'stat'ed, and then
opened - this allows a window of opportunity for a user to do funny things...
You want to OPEN the file and then use FSTAT to check it.


*** /mnt/papowell/kerberos/krb5-1.0/src/lib/krb5/rcache/rc_io.c Fri Mar 28 10:42:31 1997
--- rc_io.c.orig Fri Mar 28 10:15:13 1997
***************
*** 168,174 ****
--- 168,176 ----
{
krb5_int16 rc_vno;
krb5_error_code retval;
+ #ifndef NO_USERID
struct stat statb;
+ #endif

GETDIR;
if (!(d->fn = malloc(strlen(fn) + dirlen + 1)))
***************
*** 177,198 ****
(void) strcat(d->fn,PATH_SEPARATOR);
(void) strcat(d->fn,fn);

d->fd = THREEPARAMOPEN(d->fn,O_RDWR | O_BINARY,0600);
! if(d->fd == -1 || (d->fd = stat(d->fn, &statb)) == -1
! || ((statb.st_mode & S_IFMT) != S_IFREG)) {
! retval = KRB5_RC_IO_PERM;
! goto fail;
! }
! #ifndef NO_USERID
! /* must be owned by either the user or effective user,
! * to prevent some security problems with
! * other users modifying replay cache stufff */
! else if ((statb.st_uid != geteuid() && statb.st_uid != getuid() )){
! retval = KRB5_RC_IO_PERM;
! goto fail;
}
#endif
-
if (d->fd == -1) {
switch(errno)
{
--- 179,200 ----
(void) strcat(d->fn,PATH_SEPARATOR);
(void) strcat(d->fn,fn);

+ #ifdef NO_USERID
d->fd = THREEPARAMOPEN(d->fn,O_RDWR | O_BINARY,0600);
! #else
! if ((d->fd = stat(d->fn, &statb)) != -1) {
! uid_t me;
!
! me = getuid();
! /* must be owned by this user, to prevent some security problems with
! * other users modifying replay cache stufff */
! if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) {
! FREE(d->fn);
! return KRB5_RC_IO_PERM;
! }
! d->fd = THREEPARAMOPEN(d->fn,O_RDWR | O_BINARY,0600);
}
#endif
if (d->fd == -1) {
switch(errno)
{