[cap-talk] Confused Deputy, multiple authorities - Norm?
Valerio Bellizzomi
devbox at selnet.org
Wed Oct 25 05:04:59 CDT 2006
On 24/10/2006, at 16.48, David Wagner wrote:
>Jed writes:
>>"The billing information file (SYSX)BILL was also stored in SYSX.
>>Some user came to know the name (SYSX)BILL and supplied it to the
>>compiler as the name of the file to receive the debugging
>>information. The compiler passed the name to the operating system in
>>a request to open that file for output. The operating system,
>>observing that the compiler had home files license, let the compiler
>>write debugging information over (SYSX)BILL. The billing information was
>lost."
>>
>>If the compiler could know the users UID it could check to insure
>>that the user had write access to their debugging information file.
>[...]
>>In the case of Unix with SUID I believe the problem is more
>>subtle. In the Unix case an SUID application can get the original
>>UID of the user and to a large extent can determine if an action
>>would be beyond the authority of a user.
>
>It's not quite that simple, because of TOCTTOU attacks (race conditions).
>If you check that the user should have write access, then go ahead and
>perform the write if the answer is yes, you might discover that the user
>briefly had access at the time when you performed the check but didn't
>have access by the time you did the write, because the file changed in
>between.
Can this problem be resolved by designing the "check+write" as an atomic
operation ?
val
More information about the cap-talk
mailing list