On Thu, Sep 21, 2006 at 03:35:39PM +0200, Florian Zumbiehl wrote: > One possible solution would be to always create files with S_IRUSR|S_IWUSR > as the mode parameter to open and do a chmod to sb.st_mode after the > chown. I'm not sure, though, whether that would still leave problems > in some cases where an attacker could create the to-be-created file > beforehand and thus cause it to just be opened and truncated without > re-creation. The most-easily constructed scenario (directory writeable > by a user/group not allowed to read the log file) should be prevented by > the chown failing for a non-root logrotate process when trying to change > the owner of the destination file.
Surely in that case, the file couldn't be created in the first place. > Unless anyone is sure that there are no problems left with this > solution (and for the sake of clarity maybe even then), I'd suggest > to instead unlink() the filename beforehand, then (re-)create it with > O_EXCL and mode of 0 (shouldn't cause any problems anymore, since > logrotate never will need to open it unless the later chmod has been > executed), then chown and then chmod the file to set the "cloned > permissions" (possibly obeying the current umask for backwards > compatibility, even though I do consider it rather counter-intuitive > that the umask is obeyed while cloning the permissions of one file onto > another). So, you're suggesting that the sequence should be: unlink(file) open(file,O_CREAT|O_EXCL|O_NOFOLLOW,0) -- fails if file exists close(file) chown(file,user,group) chmod(file,mode) -- Paul Martin <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
