Created
September 4, 2017 03:32
-
-
Save timb-machine/759cfaf4023e5791b14bc9eb80162859 to your computer and use it in GitHub Desktop.
Nemo's race condition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On Linux: | |
$ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date | |
Sun 26 Apr 15:10:58 BST 2015 | |
-rwxr--r-- 1 root root 0 Apr 26 15:10 foo | |
Sun 26 Apr 15:10:58 BST 2015 | |
On other OS (iOS in this case): | |
$ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date | |
Sun Apr 26 15:09:47 BST 2015 | |
-rwsr--r-- 1 root wheel 0 Apr 26 15:09 foo* | |
Sun Apr 26 15:09:47 BST 2015 | |
The +s bit is removed on Linux, but not on other OS. The vulnerability in CVE-2015-3339 is that Linux's chown() doesn't perform the -s as an atomic operation and leaves foo +s for a split second as root. By variation, on other OS, it will remain with +s indefinitely. | |
The key bit from http://pubs.opengroup.org/onlinepubs/9699919799/ is: | |
"If the specified file is a regular file, one or more of the S_IXUSR, S_IXGRP, or S_IXOTH bits of the file mode are set, and the process does not have appropriate privileges, the set-user-ID (S_ISUID) and set-group-ID (S_ISGID) bits of the file mode shall be cleared upon successful return from chown(). If the specified file is a regular file, one or more of the S_IXUSR, S_IXGRP, or S_IXOTH bits of the file mode are set, and the process has appropriate privileges, it is implementation-defined whether the set-user-ID and set-group-ID bits are altered." | |
That is to say, the standard leaves this edge case to the implementation to decide. Modern Linux does one thing and everyone else does the other. | |
The race condition that nemo saw on OS X is simply whether the file is owned (and therefore setUID) root or 1000 at the time of calling. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment