Nemo's race condition

Nemo's race condition

On Linux:

$ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date
Sun 26 Apr 15:10:58 BST 2015
-rwxr--r-- 1 root root 0 Apr 26 15:10 foo
Sun 26 Apr 15:10:58 BST 2015

On other OS (iOS in this case):

$ date && touch foo && chmod u+xs foo && sudo chown 0:0 foo && ls -l foo && date
Sun Apr 26 15:09:47 BST 2015
-rwsr--r-- 1 root wheel 0 Apr 26 15:09 foo*
Sun Apr 26 15:09:47 BST 2015

The +s bit is removed on Linux, but not on other OS. The vulnerability in CVE-2015-3339 is that Linux's chown() doesn't perform the -s as an atomic operation and leaves foo +s for a split second as root. By variation, on other OS, it will remain with +s indefinitely.

The key bit from http://pubs.opengroup.org/onlinepubs/9699919799/ is:

"If the specified file is a regular file, one or more of the S_IXUSR, S_IXGRP, or S_IXOTH bits of the file mode are set, and the process does not have appropriate privileges, the set-user-ID (S_ISUID) and set-group-ID (S_ISGID) bits of the file mode shall be cleared upon successful return from chown(). If the specified file is a regular file, one or more of the S_IXUSR, S_IXGRP, or S_IXOTH bits of the file mode are set, and the process has appropriate privileges, it is implementation-defined whether the set-user-ID and set-group-ID bits are altered."

That is to say, the standard leaves this edge case to the implementation to decide. Modern Linux does one thing and everyone else does the other.

The race condition that nemo saw on OS X is simply whether the file is owned (and therefore setUID) root or 1000 at the time of calling.