问题描述
我引用了手册页访问权限(2):
这是什么意思,在什么情况下会引起关注?
这仅对Set-user-ID和set-group-ID应用程序具有安全性.对于以用户本身身份运行的应用程序,没有威胁,因为有问题的操作始终会被操作系统拒绝.
请考虑以下情形:您有一个UNIX程序,通过set-user-id以 root 身份运行.该程序使用 access 来检查另一个用户的文件权限,然后以 root 的身份运行文件,但前提是权限检查成功.假设该程序名为 securerun ,您可以按以下方式运行它:
securerun myfile 攻击者可以使用以下算法制作一个利用此安全漏洞运行的程序:
- 写入用户具有执行权限的文件
xyz - 启动两个线程,
A和B - 线程
A等待几毫秒,然后执行cp norunning xyz将xyz替换为攻击者想要运行的文件,但是没有运行权限 - 线程
B调用securerun xyz
如果攻击者通过正确的时机获得了幸运,那么您的 securerun 将检查旧 xyz 的执行权限,但它将运行新的 xyz,这是黑客不应该运行的 norunning 的副本.由于检查和执行之间的时间间隔很短,因此,如果攻击者多次尝试执行其策略,则注定会在某个时候幸运.
I quote from man page access(2):
What does this mean, and in what situation would it be a concern?
This is a security concern only for Set-user-ID and set-group-ID applications. For applications running as the user itself there is no threat, because the operation in question would be rejected by the operating system anyway.
Consider this scenario: you have a UNIX program running as root via set-user-id. The program uses access to check file permissions of another user, and then runs the file as root, but only if the permission check has been successful. Let's say the program is called securerun, and you run it as follows:
securerun myfile
An attacker can make a program that exploits this security hole to run, using this algorithm:
- Write a file
xyzof which the user has executing permissions - Start two threads,
AandB - Thread
Awaits a few milliseconds, and executescp norunning xyzto replacexyzwith a file that the attacker wants to run, but has no run permissions to do so - Thread
Bcallssecurerun xyz
If the attacker gets lucky by getting his timing right, your securerun would check the execute permissions on the old xyz, but it would run the new xyz, a copy of norunning that the hacker wasn't supposed to run. Since there is a short time window between the check and the execution, the attacker is bound to get lucky at some point, if he tries his strategy many times in a loop.
这篇关于access()有什么问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!