Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 85581 invoked from network); 24 Feb 2009 12:15:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 24 Feb 2009 12:15:34 -0000 Received: (qmail 59870 invoked by uid 500); 24 Feb 2009 12:15:32 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 59811 invoked by uid 500); 24 Feb 2009 12:15:32 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 59802 invoked by uid 99); 24 Feb 2009 12:15:32 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Feb 2009 04:15:32 -0800 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 66.187.237.31 as permitted sender) Received: from [66.187.237.31] (HELO mx2.redhat.com) (66.187.237.31) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Feb 2009 12:15:26 +0000 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n1OCF5PA021129 for ; Tue, 24 Feb 2009 07:15:05 -0500 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1OCF50f026047 for ; Tue, 24 Feb 2009 07:15:05 -0500 Received: from turnip.manyfish.co.uk (vpn-12-194.rdu.redhat.com [10.11.12.194]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n1OCF5MM019336 for ; Tue, 24 Feb 2009 07:15:05 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from ) id 1Lbtth-0001cx-RN for dev@apr.apache.org; Tue, 24 Feb 2009 09:48:17 +0000 Date: Tue, 24 Feb 2009 09:48:17 +0000 From: Joe Orton To: dev@apr.apache.org Subject: Re: svn commit: r746589 - in /apr/apr/trunk: ./ include/ include/arch/unix/ include/arch/win32/ misc/unix/ misc/win32/ threadproc/beos/ threadproc/netware/ threadproc/os2/ threadproc/unix/ threadproc/win32/ Message-ID: <20090224094817.GA6199@redhat.com> Mail-Followup-To: dev@apr.apache.org References: <20090221205948.E9CC52388882@eris.apache.org> <20090223113756.GA8593@redhat.com> <49A29396.7030107@apache.org> <20090223130323.GA23666@redhat.com> <49A2BB36.4000902@apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <49A2BB36.4000902@apache.org> User-Agent: Mutt/1.5.18 (2008-05-17) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26 X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Feb 23, 2009 at 04:05:26PM +0100, Mladen Turk wrote: > Joe Orton wrote: >> >>> Also shm name is not predictable because the child pid is not >>> known in advance (well one can make all 1...PID_MAX shm's, sure), >> >> tmp races are a security issue regardless of pid predicatibility (and >> in fact, pids are predictable on many platforms). >> > > I made it unique. It can still fail in theory during the > transition from two consequtive api calls > (file_close and shm_create) So the race is still there, and if an attacker wins that race, he can substitute a shm segment containing arbitrary data which the child process will pick up. -1 stands on that basis. Using an env var is also completely bizarre. I can't imagine why on earth an application would want to work like this, rather than e.g. creating a shm segment in the parent and passing the name as a command-line option to the exec'ed child - or using a common config file. Or using hard-coded paths. But trying to shove this all into apr_proc_create() just seems like a disaster. Regards, Joe