From: pjb1008@cam.ac.uk (Peter Benie) To: security-audit@ferret.lmh.ox.ac.uk Subject: Re: Anybody experience this type of Dos before? Date: Sun, 11 Oct 1998 17:36:02 +0100 Jay Cox writes ("Re: Anybody experience this type of Dos before?"): > Illuminatus Pimpus wrote: > > BTW: just an ls -l /dev/* shouldn't open any devices for reading.. it > > should only be stat()ing them. I didn't think that would cause linux to > > load modules.. > > Its not /dev/* but /dev/*/*. And it does look like it is loading > modules like one for this /dev/aztcd. Anyway only bash seems to be affected. It seems that the behaviour of opendir has changed in glibc2. Here's a trace of libc5 doing opendir("."): - stat(".", {st_mode=S_IFDIR|S_ISGID|0755, st_size=3072, ...}) = 0 - open(".", O_RDONLY) = 3 - fcntl(3, F_SETFD, FD_CLOEXEC) = 0 And in glibc2: - open(".", O_RDONLY|O_NONBLOCK) = 3 - fcntl(3, F_SETFD, FD_CLOEXEC) = 0 - fstat(3, {st_mode=0, st_size=0, ...}) = 0 The glibc method is better since it can not be tricked into returning non-NULL for something that isn't a directory, but it does have the undesirable property that it opens everything in sight, possibly rewinding tape devices or setting your controlling terminal. IMO, opendir() should do a stat before opening the directory, as well as an fstat afterwards. For bash, setting OPENDIR_NOT_ROBUST in SYSDEP_CFLAGS in bash/machines.h (even though opendir() _is_ robust) puts a stat before the opendir(). Peter