new parameter: "secure include"
Samuel J Liddicott
sam at campbellsci.co.uk
Fri Jun 11 08:18:25 GMT 1999
> -----Original Message-----
> From: CAE Samba Admin [mailto:caesmb at lab2.cc.wmich.edu]
> Sent: 10 June 1999 19:25
> To: Multiple recipients of list
> Subject: new parameter: "secure include"
>
> I basically copied the "handle_include" function in
> param/loadparm.c and
> made a "handle_secure_include" function which refuses to
> include the file
> of any of the following three conditions (in this order) aren't met:
>
> 1. root must own the file
> 2. the file must not be group writable
> 3. the file must not be world writable
You should make this checks after opening the file, and make sure the
file you opened is the one you have just checked (same inode), not same
name.
About 10 years ago there was an suid shell script scare which involves
running soft-link suid shell scripts at low priority on a loaded machine
and managing to re-direct the softlink to your own file between the time
it took for the kernel to check perms and take on the uid and the time
it took for the new process to open the file. The fix was for the shell
to be handed the ready opended file as a name, like /dev/fd3 or
something, thus any hacks by the user are always too late.
You need to make sure this can't happen to you.
Sam
More information about the samba-ntdom
mailing list