On Tue, 11 Jan 2005, John Richard Moser wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>http://rafb.net/paste/results/jRFmZD25.html
>
>This is code from a package manager I'm writing based on SQLite.  These
>two functions open a database, creating it if it doesn't exist.
>
>While most of this isn't of general interest, I'd like to point out that
>I create the database by opening it with open() using O_EXCL and
>O_CREAT, and then close the file.  After that I call SQLite's
>sqlite3_open() to open the database.
>
>The reason I do this is so that the database can't be raced to create
>arbitrary writes.  For example, I don't want to call sqlite3_open(),
>have it find the database doesn't exist, then have a normal user insert
>a symlink to /etc/fstab, and have sqlite3 "create" the database.


But /etc/fstab is protected from modification by the operating system
security system. Under your scheme, someone can simply rm the file after
your open but before the sqlite3_open, and you'll still have the same
none problem.


>
>It should be reviewed whether this is a general concern (I haven't
>audited SQLite, so I don't know), and if so, whether a function such as
>sqlite3_sopen() to "open or securely create" a database should be made.
>~ This may just be my paranoia.


No, this is of no concern. You're protected against malicious use by the
operating system. The only person who can open, say, /etc/fstab is root.
If the user is root, they can do whatever damage they want already, they
don't need SQLite to do it for them.


Christian

-- 
    /"\
    \ /    ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
     X                           - AGAINST MS ATTACHMENTS
    / \

Reply via email to