On Wed, 12 Jan 2005, John Richard Moser wrote: > >Christian Smith wrote: >> On Tue, 11 Jan 2005, John Richard Moser wrote: >> >>>http://rafb.net/paste/results/jRFmZD25.html >>> >>>While most of this isn't of general interest, I'd like to point out that >>>I create the database by opening it with open() using O_EXCL and >>>O_CREAT, and then close the file. After that I call SQLite's >>>sqlite3_open() to open the database. >>> >>>The reason I do this is so that the database can't be raced to create >>>arbitrary writes. For example, I don't want to call sqlite3_open(), >>>have it find the database doesn't exist, then have a normal user insert >>>a symlink to /etc/fstab, and have sqlite3 "create" the database. >> >> But /etc/fstab is protected from modification by the operating system >> security system. Under your scheme, someone can simply rm the file after >> your open but before the sqlite3_open, and you'll still have the same >> none problem. > >/tmp/ is rwx by anyone >root stats /tmp/tmpdb.root.1072 (pid==1072) >Nonexistant >User ln -s /etc/fstab /tmp/tmpdb.root.1072 >root creates /tmp/tmpdb.root.1072 >fstab erased.
SQLite wouldn't work like that. It would read the file (which is actually /etc/fstab) and determine that it is not a valid SQLite db. SQLite doesn't just trample over files without verifying that they are in fact valid SQLite databases. >> >>>It should be reviewed whether this is a general concern (I haven't >>>audited SQLite, so I don't know), and if so, whether a function such as >>>sqlite3_sopen() to "open or securely create" a database should be made. >>>~ This may just be my paranoia. >> >> No, this is of no concern. You're protected against malicious use by the >> operating system. The only person who can open, say, /etc/fstab is root. >> If the user is root, they can do whatever damage they want already, they >> don't need SQLite to do it for them. > >Do you know what a temp file race condition is? it's roughly 20% of >securuty vulnerabilites based on Ubuntu Linux Security Notices. Thanks, that hadn't occured to me. > >https://www.ubuntulinux.org/wiki/USNAnalysis > >The type of logic I'm thinking of is the type indicated in USN 3-1, 5-1, >6-1, 4-1, 13-1, 15-1, 16-1, 24-1, 43-1, 49-1, 51-1 > >http://www.ubuntulinux.org/support/documentation/usn/ > >Sometimes SQLite may be used by a root owned process. SQLite 3 already uses the O_EXCL when creating temporary files, such as the temporary database. Non-temporary database files should not be stored in world writeable locations. If you're writing a package management tool, then the package database should be in /var/db or some such place, out of reach of the common user. Thus, such symlink attacks are protected against by the OS security. If you're creating a database for temporary (per-process) use, then simply use a memory only database (filename ":memory:"). Christian -- /"\ \ / ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL X - AGAINST MS ATTACHMENTS / \
