[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.
Rob Meijer
capibara at xs4all.nl
Fri Dec 18 09:25:07 PST 2009
On Fri, December 18, 2009 13:58, Marcus Brinkmann wrote:
> Rob Meijer wrote:
>> The process of creating an anonymous file to my knowledge still uses
>> linking into a namespace that is vulnerable to race condition attacks.
>
> It's only vulnerable if used incorrectly ever since O_EXCL was added, see
> mkstemp(3).
The O_EXCL flag only makes sure that a named file does not already exist
within the given namespace before creating it. The problem remains that in
between the open with O_CREAT | O_EXCL, or mkstemp for that matter, and
the moment of unlink, we have a short moment that the file exists in the
global namespace, and a hostile process could potentially gain access to
it.
>> That is in the anonymous file creation I've seen, you do an open/create
>> call followed by an unlink. Is there a way to create an anonymous file
>> without using a temporary namespace to link it into?
>
> The GNU/Hurd implemented an extension to the POSIX API that allowed
> creation
> of anonymous, unnamed files (the files were never linked into the
> filesystem).
I don't understand 'never linked into the filesystem', the file needs to
be linked into the filesystem, just not into the global namespace of the
filesystem.
Rob
More information about the cap-talk
mailing list