While the permissions on the temp file are correct to prevent it from being
maliciously mangled by passing strangers, (created with 600, opened O_EXCL,
etc), the permissions on the _directory_ might not be, and we re-open the
file to convert the filehandle to a FILE * (and automatically get an error
message and exit if the directory's read-only or out of space or some such).
This opens a potential race condition if somebody's using dnotify on the
directory, deletes/renames the tempfile, and drops a symlink or something
there. Somebody running sed -i as root in a world writeable directory could
do damage.
I dug up notes on an earlier discussion where we looked at the security
implications of this (unfortunately on the #uclibc channel rather than email;
I don't have a transcript, just notes-to-self) which pointed out that if the
permissions on the directory allow other people's files to be deleted/renamed
then the original file is vulnerable to sabotage anyway. However, there are
two cases that discussion apparently didn't take into account:
1) Using another user's permissions to damage files in other directories you
can't access (standard symlink attack).
2) Reading data another user couldn't otherwise access by having the new file
belong to that other user.
This patch uses fdopen to convert the filehandle into a FILE *, rather than
reopening the file.
with tweaks from Mike Frysinger and Rob Landley.
Note: this will still fail to umount a path that contains an ' or \ character.
Is it worth the extra size to filter for that?
> This patch modfies expr to use portable POSIX regex rather than BSD
> regex.
...
> This updated patch implements an anchored regex by checking that the
> match starts at offset 0.
More to the point, this patch uses the same regex that sed.c is already using
(opportunity to suck in less library code), and even building a dynamically
linked busybox with just expr the result is a slightly smaller binary (by 94
bytes, I dunno what nm --size-sort has to say about it because I didn't build
with debug info, since that changes the binary size a lot by disabling
optimization...)
Your mileage may vary. Handle with caution. Do not taunt happy fun ball.
If we exec /proc/self/exe and only fall back to /bin/busybox if /proc isn't
there, then we have a reasonable chance of having the standalone shell work
even if busybox isn't installed in /bin on the system in question.
Still won't work in a chroot environment, but it's an improvement.
I found that lsmod in busybox does not support linux-2.6.
I fix this issue(it is caused by changes of /proc/modules format).
If you use lsmod in busybox with kernel-2.6, please use this patch.
To: busybox@mail.codepoet.org
Wrap sockaddr_in6 in a ifdef CONFIG_FEATURE_IPV6.
Include sys/types.h instead of asm/types.h.
Include netinet/if_ether.h instead of linux/if_ether.h
The ioctl request argument is an int, not an unsigned short.