public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "bugdal at aerifal dot cx" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/15763] shm_open/unlink let you write outside SHMDIR
Date: Sat, 20 Jul 2013 19:09:00 -0000 [thread overview]
Message-ID: <bug-15763-131-8gU6qFjLKq@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-15763-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=15763
--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> ---
EISDIR does not really make sense because, from the API standpoint of POSIX
SHM, "directories" do not exist in this namespace. Of course a malicious
program can create directories under /dev/shm, though, leading to an error
condition that programs must be able to deal with. I'm not sure what the best
error code would be.
How would you propose checking for directories? The obvious robust approach is
fstat, but that does increase the cost of each shm_open operation moderately.
If you just want to reject invalid names, "." and ".." would be the only two
that need consideration. But if you want to protect applications from
maliciously-created directories, the fstat approach might be needed.
By the way, I'm fairly sure that such directories are not relevant to programs
that use shm_open in a secure manner. Such programs must have the first user
open the file with O_EXCL|O_CREAT, and notify other users out-of-band of the
filename for the shared memory object. Otherwise there is no way of knowing
(within the SHM API) whether the object you opened belongs to another malicious
user; the possibility that it's a directory is a much lesser danger than the
possibility that it's an actual shared memory object owned by another user. So
I rather question whether protection against directories matters.
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2013-07-20 19:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-20 10:55 [Bug libc/15763] New: " corbellini.andrea at gmail dot com
2013-07-20 17:04 ` [Bug libc/15763] " bugdal at aerifal dot cx
2013-07-20 18:45 ` corbellini.andrea at gmail dot com
2013-07-20 19:09 ` bugdal at aerifal dot cx [this message]
2013-07-20 20:40 ` corbellini.andrea at gmail dot com
2013-10-31 13:03 ` neleai at seznam dot cz
2014-06-13 13:21 ` fweimer at redhat dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-15763-131-8gU6qFjLKq@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).