[Bug binutils/26945] Unsafe chown+chmod in smart_rename, possibly elsewhere

[bugdal at aerifal dot cx]

https://sourceware.org/bugzilla/show_bug.cgi?id=26945

--- Comment #4 from Rich Felker <bugdal at aerifal dot cx> ---
That's a lot to review without being familiar with the code, but a couple
things I can tell you right off:

1. make_tempname with fd_return==NULL is *always* a bug, and defeats the whole
purpose of mkstemp. It's the same as if you were using the deprecated insecure
mktemp. Except in a directory that nobody else can write, or with sticky bit,
you can never again be sure the name refers to the file you created.

2. smart_rename needs(*) *two* fds, not just one. It needs the fd of the file
you're replacing, to get the ownership and mode from it via fstat, and the fd
of the temp file it will be renaming over top of the old name, to set the
ownership and mode via fchown and fchmod. If either of these is unavailable it
can't safely copy ownership or mode information.

* Technically the caller could have called fstat on the original file being
replaced already, and pass the owner/mode information (or the whole stat
structure) into smart_rename rather than passing the fd, but I think it makes
more sense to just pass the fd.

-- 
You are receiving this mail because:
You are on the CC list for the bug.