Shostack + Friends Blog Archive

 

Buggy Advice from Adam

So in the “Code Review Guidelines” which I wrote a long time back, I quote a bit of code by Peter Guttmann, on how to open a file securely. Last week, Ilja van Sprundel got in touch with me, and said that the lstat/open/fstat chain is insecure, because you can recycle inodes by creating a lot of files. He pointed to an Olaf Kirch bugtraq post.

Bad advice lifetime, seven years:

Revision 1.10  1999/06/01 19:25:49  adam
added open comments from Peter

Although, really, I shouldn’t say bad. I should add “What should the programmer do?”

4 comments on "Buggy Advice from Adam"

  • Anonymous says:

    ctime will have changed between lstat and fstat – that’s your sign something is wrong.

  • Anonymous says:

    O_NOFOLLOW was meant for this too

  • ilja says:

    and ofcourse noone can ever change ctime ….
    O_NOFOLLOW isn’t good enough either, the point is that there’s still a race, there can in fact be a totally different normal file and O_NOFOLLOW will still follow directory symlinks btw.
    the point is that the whole lstat/open/fstat is flawed and simply cannot prevent the file from being a different file, no matter how hard you try.

Comments are closed.