From schwim@whatmore.Stanford.EDU Wed Mar 18 20:38:36 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA24963 for <bugs@RT-11.MIT.EDU>; Wed, 18 Mar 1998 20:38:35 -0500
Received: from whatmore.Stanford.EDU by MIT.EDU with SMTP
id AA27003; Wed, 18 Mar 98 20:39:08 EST
Received: (from schwim@localhost)
by whatmore.Stanford.EDU (8.8.8/8.8.8) id RAA04137;
Wed, 18 Mar 1998 17:38:33 -0800 (PST)
Message-Id: <199803190138.RAA04137@whatmore.Stanford.EDU>
Date: Wed, 18 Mar 1998 17:38:33 -0800 (PST)
From: Larry Schwimmer <schwim@whatmore.Stanford.EDU>
Cc: krb5-bugs@MIT.EDU, schwim@leland.Stanford.EDU
In-Reply-To: <199803172350.PAA29584@whatmore.Stanford.EDU> from "Larry Schwimmer" at Mar 17, 98 03:50:32 pm
Subject: Re: BUG: possible lib/krb4/tf_util.c race condition
State-Changed-From-To: open-closed
State-Changed-By: mdh
State-Changed-When: Thu Jul 9 18:14:18 1998
State-Changed-Why:
Superseded by PR 566.
Responsible-Changed-From-To: gnats-admin->mdh
Responsible-Changed-By: mdh
Responsible-Changed-When: Thu Jul 9 18:27:04 1998
Responsible-Changed-Why:
I'll take this.
Sample patch included at the end of the note. It's basically
the same for the krb4 and krb5 distributions.
yours,
Larry Schwimmer
schwim@leland.stanford.edu
Leland Systems Group
--- lib/krb4/tf_util.c.orig Fri Feb 6 19:44:22 1998
+++ lib/krb4/tf_util.c Wed Mar 18 17:31:55 1998
@@ -278,10 +278,26 @@
#endif /* TKT_SHMEM */
if (wflag) {
- fd = open(tf_name, O_RDWR, 0600);
+ fd = open(tf_name, O_RDWR|O_CREAT|O_EXCL, 0600);
if (fd < 0) {
return TKT_FIL_ACC;
}
+ if (fstat(fd, &stat_buf) < 0) {
+ (void) close(fd);
+ fd = -1;
+ switch (errno) {
+ case ENOENT:
+ return NO_TKT_FIL;
+ default:
+ return TKT_FIL_ACC;
+ }
+ }
+ if ((stat_buf.st_uid != me && me != 0) ||
+ ((stat_buf.st_mode & S_IFMT) != S_IFREG)) {
+ (void) close(fd);
+ fd = -1;
+ return TKT_FIL_ACC;
+ }
if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
sleep(TF_LCK_RETRY);
if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
@@ -297,8 +313,24 @@
* for read-only operations and locked for shared access.
*/
- fd = open(tf_name, O_RDONLY, 0600);
+ fd = open(tf_name, O_RDONLY|O_NONBLOCK, 0600);
if (fd < 0) {
+ return TKT_FIL_ACC;
+ }
+ if (fstat(fd, &stat_buf) < 0) {
+ (void) close(fd);
+ fd = -1;
+ switch (errno) {
+ case ENOENT:
+ return NO_TKT_FIL;
+ default:
+ return TKT_FIL_ACC;
+ }
+ }
+ if ((stat_buf.st_uid != me && me != 0) ||
+ ((stat_buf.st_mode & S_IFMT) != S_IFREG)) {
+ (void) close(fd);
+ fd = -1;
return TKT_FIL_ACC;
}
if (flock(fd, LOCK_SH | LOCK_NB) < 0) {
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA24963 for <bugs@RT-11.MIT.EDU>; Wed, 18 Mar 1998 20:38:35 -0500
Received: from whatmore.Stanford.EDU by MIT.EDU with SMTP
id AA27003; Wed, 18 Mar 98 20:39:08 EST
Received: (from schwim@localhost)
by whatmore.Stanford.EDU (8.8.8/8.8.8) id RAA04137;
Wed, 18 Mar 1998 17:38:33 -0800 (PST)
Message-Id: <199803190138.RAA04137@whatmore.Stanford.EDU>
Date: Wed, 18 Mar 1998 17:38:33 -0800 (PST)
From: Larry Schwimmer <schwim@whatmore.Stanford.EDU>
Cc: krb5-bugs@MIT.EDU, schwim@leland.Stanford.EDU
In-Reply-To: <199803172350.PAA29584@whatmore.Stanford.EDU> from "Larry Schwimmer" at Mar 17, 98 03:50:32 pm
Subject: Re: BUG: possible lib/krb4/tf_util.c race condition
Show quoted text
>Number: 565
>Category: krb5-libs
>Synopsis: Re: BUG: possible lib/krb4/tf_util.c race condition
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: mdh
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 18 20:39:00 EST 1998
>Last-Modified: Thu Jul 09 18:28:27 EDT 1998
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Category: krb5-libs
>Synopsis: Re: BUG: possible lib/krb4/tf_util.c race condition
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: mdh
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 18 20:39:00 EST 1998
>Last-Modified: Thu Jul 09 18:28:27 EDT 1998
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: mdh
State-Changed-When: Thu Jul 9 18:14:18 1998
State-Changed-Why:
Superseded by PR 566.
Responsible-Changed-From-To: gnats-admin->mdh
Responsible-Changed-By: mdh
Responsible-Changed-When: Thu Jul 9 18:27:04 1998
Responsible-Changed-Why:
I'll take this.
Show quoted text
>Unformatted:
You (Larry Schwimmer) write:Show quoted text
> Submitter-Id: net
> Originator: Larry Schwimmer
> Confidential: no
> Synopsis: tf_init has a /tmp race condition
> Severity: serious
> Priority: medium
> Category: krb5-libs
> Class: sw-bug
> Release: 1.0.5
> Environment: All
> Originator: Larry Schwimmer
> Confidential: no
> Synopsis: tf_init has a /tmp race condition
> Severity: serious
> Priority: medium
> Category: krb5-libs
> Class: sw-bug
> Release: 1.0.5
> Environment: All
Sample patch included at the end of the note. It's basically
the same for the krb4 and krb5 distributions.
yours,
Larry Schwimmer
schwim@leland.stanford.edu
Leland Systems Group
--- lib/krb4/tf_util.c.orig Fri Feb 6 19:44:22 1998
+++ lib/krb4/tf_util.c Wed Mar 18 17:31:55 1998
@@ -278,10 +278,26 @@
#endif /* TKT_SHMEM */
if (wflag) {
- fd = open(tf_name, O_RDWR, 0600);
+ fd = open(tf_name, O_RDWR|O_CREAT|O_EXCL, 0600);
if (fd < 0) {
return TKT_FIL_ACC;
}
+ if (fstat(fd, &stat_buf) < 0) {
+ (void) close(fd);
+ fd = -1;
+ switch (errno) {
+ case ENOENT:
+ return NO_TKT_FIL;
+ default:
+ return TKT_FIL_ACC;
+ }
+ }
+ if ((stat_buf.st_uid != me && me != 0) ||
+ ((stat_buf.st_mode & S_IFMT) != S_IFREG)) {
+ (void) close(fd);
+ fd = -1;
+ return TKT_FIL_ACC;
+ }
if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
sleep(TF_LCK_RETRY);
if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
@@ -297,8 +313,24 @@
* for read-only operations and locked for shared access.
*/
- fd = open(tf_name, O_RDONLY, 0600);
+ fd = open(tf_name, O_RDONLY|O_NONBLOCK, 0600);
if (fd < 0) {
+ return TKT_FIL_ACC;
+ }
+ if (fstat(fd, &stat_buf) < 0) {
+ (void) close(fd);
+ fd = -1;
+ switch (errno) {
+ case ENOENT:
+ return NO_TKT_FIL;
+ default:
+ return TKT_FIL_ACC;
+ }
+ }
+ if ((stat_buf.st_uid != me && me != 0) ||
+ ((stat_buf.st_mode & S_IFMT) != S_IFREG)) {
+ (void) close(fd);
+ fd = -1;
return TKT_FIL_ACC;
}
if (flock(fd, LOCK_SH | LOCK_NB) < 0) {