-1

From The Linux Programming Interface

If a set-user-ID-root program must create a file that initially it must own, but which will eventually be owned by another user, the file should be created so that it is initially not writable by other users, either by using a suitable mode argument to open() or by setting the process umask before calling open(). Afterward, the program can change its ownership with fchown(), and then change its permissions, if necessary, with fchmod(). The key point is that a set-user-ID program should ensure that it never creates a file that is owned by the program owner and that is even momentarily writable by other users.

I was wondering why "a set-user-ID program should ensure that it never creates a file that is owned by the program owner and that is even momentarily writable by other users"?

melpomene
  • 84,125
  • 8
  • 85
  • 148
Tim
  • 1
  • 141
  • 372
  • 590

1 Answers1

1

If the file is momentarily writable by other users, there is a potential for an adversarial process to write data of it's own purposes into the file before you get around to changing the file's ownership. This situation presents the beginnings of a possible privilege escalation exploit, or at the very least, a corruption of intended data by a process that should not have had any opportunity to corrupt the file in the first place.

Say I wanted to gain root privileges from an unprivileged process. I can sit around waiting for your app running as root to start creating a file owned by root. As soon as I see it, my process races to write my rootkit binary into the file. I exploit another buggy privileged process that lets me somehow flip the set-user-id bit on the file -- all before you get around to changing the ownership. Now I can quickly execute my setuid rootkit binary and the code I wrote into it is running as root! I've gained full privileges when I should not have been allowed to.

Write your privileged apps very carefully, lest you open up holes that make it possible for the system to be exploited.

K9spud
  • 323
  • 1
  • 7