-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Christian Smith wrote: > On Tue, 11 Jan 2005, John Richard Moser wrote: > > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>http://rafb.net/paste/results/jRFmZD25.html >> >>This is code from a package manager I'm writing based on SQLite. These >>two functions open a database, creating it if it doesn't exist. >> >>While most of this isn't of general interest, I'd like to point out that >>I create the database by opening it with open() using O_EXCL and >>O_CREAT, and then close the file. After that I call SQLite's >>sqlite3_open() to open the database. >> >>The reason I do this is so that the database can't be raced to create >>arbitrary writes. For example, I don't want to call sqlite3_open(), >>have it find the database doesn't exist, then have a normal user insert >>a symlink to /etc/fstab, and have sqlite3 "create" the database. > > > > But /etc/fstab is protected from modification by the operating system > security system. Under your scheme, someone can simply rm the file after > your open but before the sqlite3_open, and you'll still have the same > none problem. /tmp/ is rwx by anyone root stats /tmp/tmpdb.root.1072 (pid==1072) Nonexistant User ln -s /etc/fstab /tmp/tmpdb.root.1072 root creates /tmp/tmpdb.root.1072 fstab erased. > > > >>It should be reviewed whether this is a general concern (I haven't >>audited SQLite, so I don't know), and if so, whether a function such as >>sqlite3_sopen() to "open or securely create" a database should be made. >>~ This may just be my paranoia. > > > > No, this is of no concern. You're protected against malicious use by the > operating system. The only person who can open, say, /etc/fstab is root. > If the user is root, they can do whatever damage they want already, they > don't need SQLite to do it for them. > Do you know what a temp file race condition is? it's roughly 20% of securuty vulnerabilites based on Ubuntu Linux Security Notices. https://www.ubuntulinux.org/wiki/USNAnalysis The type of logic I'm thinking of is the type indicated in USN 3-1, 5-1, 6-1, 4-1, 13-1, 15-1, 16-1, 24-1, 43-1, 49-1, 51-1 http://www.ubuntulinux.org/support/documentation/usn/ Sometimes SQLite may be used by a root owned process. > > Christian > - -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitly stated. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB5ZWzhDd4aOud5P8RAuHOAJ90Nq0zsBwUwSIBC++3bhclM162/wCfafJS r6m/yy3VkP0DY8eCCF473wE= =P+Wx -----END PGP SIGNATURE-----