1 – Articles du blog. Licence Creative Commons Les articles de ce blog sont fournis selon les termes de la Licence Creative Commons CC-BY-ND. 8 novembre. Shells Linux et Unix par la pratique (French Edition) Feb 06, by CHRISTOPHE BLAESS · Paperback. $$ More Buying Choices. $ (2 Used. Langages de scripts sous Linux [Christophe Blaess] on *FREE* shipping on qualifying offers.
|Published (Last):||22 July 2010|
|PDF File Size:||20.90 Mb|
|ePub File Size:||3.65 Mb|
|Price:||Free* [*Free Regsitration Required]|
Christophe Blaess is an independent aeronautics engineer. He is a Linux fan and does much of his work on this system.
Raspberry Pi « Christophe Blaess
He coordinates the translation of the man pages as published by the Linux Documentation Project. He has a passion for computer security. The general principle of race conditions is the following: It checks the resource is not already used by another process, then it takes over and uses it as it wants.
The problem appears when another process tries to benefit from the lapse of time between the check and the true access to take over the same resource. The results may vary. The classical case in the OS chrstophe is the definitive lock of both processes. In more practical cases, this leads to applications misfunction, or to true security holes when blsess process wrongfully benefits from the privileges of the other. What we previously called resource can have different aspect. Most of the race condition problems often discovered and corrected in the kernel itself, rely on competitive access to memory areas.
Here, we will focus on system applications and we’ll consider that the concerned resources are filesytem nodes. Most of the time, an attack aiming to system security is done against Set-UID applications, since the attacker can run the program till he can benefit from the privileges given to the executable file’s owner.
However, unlike previously discussed security holes buffer overflow, format strings They rather give the opportunity blaesz benefit from the resources of a program while it’s running.
This type of attack is aimed as well to “normal” utilities not Set-UIDthe cracker lying in ambush, waiting for another user, especially rootto run the concerned application for accessing its resources.
This is also true for writing into a file i. Unlike the security holes discussed in ours previous articles, this security problem applies to every application, and not only to Set-UID utilities and system servers or daemons. Let’s have a look at the behavior of a Set-UID program having to save data into a file belonging to the user.
We could, for instance, consider the case of a mail transport software like sendmail. Let’s suppose the user can both provide a backup filename and a message to write into that file, what is plausible under some chistophe.
The application must then check the file belongs to the person having run the program. It also will check that the file is not a symlink to a system file. Don’t we forget, the program being Set-UID rootit is allowed to modify any file in the machine. Accordingly, it will vlaess the file’s owner to its own real UID.
Let’s write something like:. As we explained in our first article, it would be better for a Set-UID application to temporarily loose its privileges and to open the file using the real UID of the user having called it.
As a matter of fact, the above situation rather corresponds to the one christope a daemon, providing services to every user. Nevertheless, we do keep that scheme, even if it isn’t that realistic, since it allows to understand the problem while easily “exploiting” the security hole. As we can see, the program starts doing all the needed controls, checking that the file exists, that it belongs to the user and that it’s a normal file. Christophs, it really opens the file and writes the message.
And, that is where lies the security hole! Or, more exactly, it’s within the lapse of time between the reading of the file attributes with stat and its opening with fopen.
This lapse of time is often extremely short but it isn’t null, then an attacker can benefit from it to change the file’s characteristics. To make blaesz attack even easier, let’s add a line making the process sleeping between the two operations, thus having the time to do the job by hand.
Let’s change the line 30 previously empty and insert:. Now, let’s implement it; first, let’s make the application Set-UID christpohe. Everything is ready for the attack. We are in a directory belonging to us. Next, we run our application in the background “to keep the lead”. Blawss ask it to write a string into that file. It christoph what it has to, sleeps for a while before really accessing the file.
The content of the root line comes from the shadow 5 man page, the most important being the second field to be empty no password. However it isn’t possible to create a copy of such a file, since it would require a full read. You don’t believe it? We did succeed in exploiting a race condition in a Set-UID root utility. Of course, this program was very “helpful” waiting for 20 seconds we finish to modify the files behind its back.
Within a real application, the race condition only applies during very short lapses of time. How to benefit from that? Usually, the principle relies on a brutal attack, renewing the attempts hundred, thousand or ten thousand times, using scripts to automate the sequence. It’s possible to improve the chance of “falling” into the security hole with various tricks aiming at increasing the lapse of time between the two operations that the program wrongly considers as atomically linked.
The idea is to slow down the target process to manage more easily the delay preceding the file modification. Different approaches blaezs be conceivable to reach our goal:. The method allowing to benefit from a security hole based on race condition is therefore boring and repetitive, but it really christophr usable! Blass try blaeds find the most effective solutions.
The above discussed problem relies on the ability to change an object characteristics during the lapse of time between two operations concerning this object, the whole thing being as continuous as possible.
In the previous situation, the change did not concern the file itself. As a matter of fact, the change relies on the link between the existing node in the name tree and the file itself as a physical entity. Let’s remind most of the system commands rmmvlnetc. Even when you delete a file using rm and the unlink system callthe content is really deleted when the last physical link – the last reference – is removed.
The mistake made in the previous program is therefore to consider as unchanging the association between the name of the file and its content, or at least, constant during the lapse of time between christphe and fopen operations. Thus, enough to take the example of a physical link to check this association is not at all a permanent one. Let’s take an example using this type of link. In a directory belonging to us, we create a new link to a system file. Of course, the owner and the access mode are kept.
The ln command -f option forces the creation, even if that name already exists:. Thus we can see the same name points to two differents physical inodes. By the way, it’s obvious that both ” cat ” commands, while working on the same filename, display chrisrophe completely different contents, nevertheless no change happened to these files between the two operations.
In fact, we would like the functions used to check and to access the file, to always point to the same content and the same inode. The kernel itself automatically manages this association when it provides us with a file descriptor. When we open a file for reading, the open system call returns an integer value, that is the descriptor, associating it to the physical file within an internal table. All the reading we’ll do next will concern this file content, whatever happens to the name used for the file opening.
Let’s insist on that point: As soon as there is still a process having a descriptor for a file, the file content isn’t removed from the disk, even if its name disappeared from the directory where it was stored. The kernel ensures to keep the association to the file content during the lapse of time between the open system call providing a file descriptor and the release of this descriptor using close or when the process ends. But then we got our solution!
Enough to start opening the file and then check the permissions examining the descriptor characteristics instead of the filename ones. This is done using the fstat system call this last working like statbut checking a file descriptor rather than a path. To get next an IO flow around the descriptor we’ll use the fdopen function working like fopen while relying on a descriptor rather than on a filename.
Thus, the program becomes:. This time, after line 20, no change concerning the filename deleting, renaming, linking will affect our program’s behavior; the content of the original physical file will be kept.
Thus, it’s important, when manipulating a file, to ensure the association between the internal representation and the real content stays constant.
Preferently, we’ll use the following system calls, these last manipulating the physical file as an already open descriptor rather than their equivalents using the path to the file:. Then, of course, you must start opening the file in the wanted mode, calling open don’t forget the third argument when creating a new file.
More on open later, when talking about the temporary files problem.
We must insist in how is important to check the system calls return codes. This behavior can seem acceptable as soon as a damaged file system repair is concerned. On the other hand, checking that it was impossible to open the file instead of checking if the file really existed, was less acceptable. Let’s finish with this digression insisting in how it’s important to check, not only the system calls success or failure, but the error codes too, before taking any action about system security.
A program concerning the system security shouldn’t work relying on the exlusive access to a file content.
Similar authors to follow
chrkstophe More exactly, it’s important to properly manage the risks of race conditions to the same file. The main danger comes from an user running simultaneously multiple instances of a Chrisgophe root application or establishing various connexions at once with the same daemon, hoping to create a race condition situation, during which the content of a system file could be modified in an unusual way.
To avoid a program being sensitive to this kind of situation, it’s necessary to institute an exclusive access mechanism to the file data.
This is the same problem as the one found in databases when various users are allowed to simultaneously query or change the content of a file. The files locking principle allows to solve this problem. When a process wants to write into a file, it bkaess the kernel to lock that file – or a part of it. As far as the process keeps the lock, no other process can ask to lock the same file, or at least the same part of the file. In the same way, a process asks christopphe locking before reading the content of a file, what ensures no changes will be done as far as the lock is kept.