On Mon, Feb 23, 2009 at 04:05:26PM +0100, Mladen Turk wrote: > Joe Orton wrote: >> >>> Also shm name is not predictable because the child pid is not >>> known in advance (well one can make all 1...PID_MAX shm's, sure), >> >> tmp races are a security issue regardless of pid predicatibility (and >> in fact, pids are predictable on many platforms). >> > > I made it unique. It can still fail in theory during the > transition from two consequtive api calls > (file_close and shm_create)
So the race is still there, and if an attacker wins that race, he can substitute a shm segment containing arbitrary data which the child process will pick up. -1 stands on that basis. Using an env var is also completely bizarre. I can't imagine why on earth an application would want to work like this, rather than e.g. creating a shm segment in the parent and passing the name as a command-line option to the exec'ed child - or using a common config file. Or using hard-coded paths. But trying to shove this all into apr_proc_create() just seems like a disaster. Regards, Joe
