Reported by Solar Designer on V-S:
This is regarding the patch at:
http://cvs.pld.org.pl/shadow/src/useradd.c?r1=1.50&r2=1.51
with the commit message:
"useradd: fixes a potential security problem when mailbox is created in
useradd.
Patch and comment by Koblinger Egmont <egmont@uhulinux.hu>:
Only two arguments are passed to the open() call though it expects three
because O_CREAT is present. Hence the permission of the file first becomes
some random garbage found on the stack, and an attacker can perhaps open
this file and hold it open for reading or writing before the proper
fchmod() is executed. (Actually, we could also pass the final "mode" to
the open() call and then save the consequent fchmod().)"
which is now being tracked as CERT VU#312962.
The patch forgets to check the return value from fchown() before
proceeding with the fchmod(). We've got a better version of the patch
(essentially a re-implementation of this functionality) here:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-create-mailbox.diff?rev=HEAD
As far as I can recall, this re-implementation is originally by Rafal
Wojtczuk and it's been in Owl since 2001:
* Wed Aug 21 2001 Rafal Wojtczuk <nergal-at-owl.openwall.com>
- fixed mailbox creation, which was wrong in rh patch
(actually committed into Owl in November, 2001).
Also, no, it would not be safe to pass the final mode into open() right
away. That would open up a race condition, too, where the file might be
read/writable by group root instead of group mail for a moment.
