[Novalug] Gzip security hole?
Mike Shade
mshade at mshade.org
Thu Sep 13 11:10:10 EDT 2007
Explanation:
gzip *unlinks* the file after it is read and zipped to test.txt.gz.
Then, the unzip moves it back to its original name, with your user as
the creator.
This would do the same:
cp test.txt test.txt.2 && unlink test.txt && mv test.txt.2 test.txt
Still interesting, though. Having write permissions on the current
directory makes the unlink possible.
-- Mike
Mike Shade wrote:
> A friend pointed out this (seemingly) odd behavior of gzip. Anyone
> know the details of why this happens?
>
> |[mshade at opteron ~]$ sudo touch test.txt
> [mshade at opteron ~]$ ls -l test.txt
> -rw-r--r-- 1 root root 0 Sep 13 09:33 test.txt
> [mshade at opteron ~]$ gzip test.txt && gunzip test.txt.gz
> [mshade at opteron ~]$ ls -l test.txt
> -rw-r--r-- 1 mshade mshade 0 Sep 13 09:33 test.txt
> [mshade at opteron ~]$
>
> A file owned by root is changed to me by zipping the file. Unzip it,
> and it's back to original form, but with my ownership. I understand
> that gzip removes the file when it's zipped and then rewrites it when
> it's unzipped -- but why and how do I have permission to remove the file?
>
> This assumes that the current directory is writable to your user, and
> that you have read permissions on the file.
>
> -- Mike
> |
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
More information about the Novalug
mailing list