On Fri 2008-05-16 08:44:35 -0400, martin f krafft wrote: > also sprach Simon Josefsson <[EMAIL PROTECTED]> [2008.05.16.1328 +0100]: >> Hi! I've fixed this problem upstream in: >> >> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=1f808bbed485731d69a8c37509487632674c7d52 > > Looks good. I am glad you chmod() before dumping the content. :)
It's defintely better to chmod before dumping content than not, but i think this leaves an (admittedly small) window for an attacker to grab a file descriptor before the file is chmodded. Better would be to call umask(S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH) before opening the output file (and set it back afterward, if you care). in certtool.c, that seems to happen in the argument parser, though, so i'm not sure if you can know what umask is needed before the output file is opened (e.g. we don't know if we're generating a certificate or a private key). Maybe the file should be opened after all argument processing to allow for setting a proper umask? For an exaggerated demonstration of the problem: build and run chmodvumask [0] with a non-existent filename as an argument, and hook a tail -f process into that file as a different user within the 10 second window, the text written to the chmod'ed file will be readable by the other user. hth, --dkg [0] http://cmrg.fifthhorseman.net/browser/trunk/test/chmodvumask/chmodvumask.c
pgpkqQbM4AWMw.pgp
Description: PGP signature
