On Sun, Jul 19, 2015 at 11:04 AM, Ingo Schwarze <schwa...@usta.de> wrote: > Philip Guenther wrote on Sun, Jul 19, 2015 at 10:28:57AM -0700: >> On Sun, Jul 19, 2015 at 10:24 AM, Ingo Schwarze <schwa...@usta.de> wrote: > >>> I don't think we are vulnerable. >>> >>> If my analysis is accurate, the only user-controlled files >>> we open in security(8) are ~/.rhosts and ~/.shosts >>> in check_rhosts_content(). However, there is >>> >>> next unless -s $filename; >>> >>> right before the open(), and for fifos, -s returns false: > >> TOCTOU race there. If they can hit the gap and move a fifo >> over a normal file between the test and the open, the open >> will hang. Should switch to sysopen() with O_NONBLOCK. > > Oops, indeed. > > OK? > Ingo > > > Index: security > =================================================================== > RCS file: /cvs/src/libexec/security/security,v > retrieving revision 1.35 > diff -u -p -r1.35 security > --- security 21 Apr 2015 10:24:22 -0000 1.35 > +++ security 19 Jul 2015 18:02:38 -0000 > @@ -22,7 +22,7 @@ use strict; > > use Digest::SHA qw(sha256_hex); > use Errno qw(ENOENT); > -use Fcntl qw(:mode); > +use Fcntl qw(O_RDONLY O_NONBLOCK :mode); > use File::Basename qw(basename); > use File::Compare qw(compare); > use File::Copy qw(copy); > @@ -371,7 +371,7 @@ sub check_rhosts_content { > foreach my $base (qw(rhosts shosts)) { > my $filename = "$home/.$base"; > next unless -s $filename; > - nag !open(my $fh, '<', $filename), > + nag !sysopen(my $fh, $filename, O_RDONLY | O_NONBLOCK), > "open: $filename: $!" > and next; > local $_;
You need to then test the resulting file handle to verify it was a normal file. I think just nag !-f $fh ? Philip