artswrapper's new braces (Re: artswrapper defanged)
Kevin Puetz
puetzk at iastate.edu
Fri Aug 9 04:28:45 BST 2002
Waldo Bastian wrote:
> On Wednesday 07 August 2002 08:28 pm, Kevin Puetz wrote:
>> There is a (very) slight race in the checking of the permissions on the
>> file... however, since the permission being looked for is ownership by
>> root, the only user who could make anything of it is root. Since root had
>> the right to make the module trusted anyway, this gains no elevation of
>> priveledge.
>
> You should use lstat then, otherwise an attacker can make a symlink that
> switches very fast between a root-owned module and a malicious module to
> exploit this race condition.
that's a good point, but why do I want lstat? I thought it was stat that
looked through the link to check the target, and lstat which checked the
link itself. At least that's my manpages say...
>> The other issue in question is that of a root-owned .la file pointing to
>> untrusted code. Since an ordinary user cannot create this exploit, and it
>> should not exist in any default installation (the .la files and shared
>> objects are created and installed at the same time, by the same user,
>> with the same permissions) we did not feel this was an issue.
>
> Are you sure it can't be faked into loading .so files with the same name
> from another location?
the .la file contains a libdir path, I'm presuming that libtool honors it...
if not I'm not really sure what can be done about it other than modifying
artsd's copy of libltdl to check the real file, since libtool won't
otherwise tell us a thing about it. Anybody more knowledgeable wrt.
lt_dlopen?
> Cheers,
> Waldo
More information about the kde-core-devel
mailing list