![[LWN Logo]](/images/lwn.banner.gif)
From: pjb1008@cam.ac.uk (Peter Benie)
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Re: Anybody experience this type of Dos before?
Date: Sun, 11 Oct 1998 17:36:02 +0100
Jay Cox writes ("Re: Anybody experience this type of Dos before?"):
> Illuminatus Pimpus wrote:
> > BTW: just an ls -l /dev/* shouldn't open any devices for reading.. it
> > should only be stat()ing them. I didn't think that would cause linux to
> > load modules..
>
> Its not /dev/* but /dev/*/*. And it does look like it is loading
> modules like one for this /dev/aztcd. Anyway only bash seems to be affected.
It seems that the behaviour of opendir has changed in glibc2.
Here's a trace of libc5 doing opendir("."):
- stat(".", {st_mode=S_IFDIR|S_ISGID|0755, st_size=3072, ...}) = 0
- open(".", O_RDONLY) = 3
- fcntl(3, F_SETFD, FD_CLOEXEC) = 0
And in glibc2:
- open(".", O_RDONLY|O_NONBLOCK) = 3
- fcntl(3, F_SETFD, FD_CLOEXEC) = 0
- fstat(3, {st_mode=0, st_size=0, ...}) = 0
The glibc method is better since it can not be tricked into returning
non-NULL for something that isn't a directory, but it does have the
undesirable property that it opens everything in sight, possibly
rewinding tape devices or setting your controlling terminal. IMO,
opendir() should do a stat before opening the directory, as well as an
fstat afterwards.
For bash, setting OPENDIR_NOT_ROBUST in SYSDEP_CFLAGS in bash/machines.h
(even though opendir() _is_ robust) puts a stat before the opendir().
Peter