[Novalug] Gzip security hole?

Fri Sep 14 12:07:29 EDT 2007

For how to set the "sticky bit" see 'man chmod'
   chmod +t file{or directory}

To see if it's set with 'ls' you would do something like:
     ls -dl /tmp /var/lock /var/run

You will get an output something like the following:

drwxrwxrwt 17 root root 4096 2007-09-14 11:54 /tmp
drwxrwxrwt  3 root root   80 2007-09-01 05:30 /var/lock
drwxr-xr-x 12 root root  740 2007-09-09 04:25 /var/run

         /\ The 't' indicate that that one has the "sticky bit" set.

-- DonJr

On Fri, 2007-09-14 at 09:21 -0400, Nino Pereira wrote:
> Don,
> 
> for the dummies among us, what the ^($R^$## is a 'sticky bit' again?
> How do you set it? unset it? see it with 'ls'?
> 
> Nino
> 
> DonJr wrote:
> > On Thu, 2007-09-13 at 19:16 -0400, John Franklin wrote:
> >> It doesn't have to be limited to root owned files..  Anything in /tmp
> >> is a candidate to this "attack," including fileds owned by other
> >> users.
> > 
> > Not really with a properly configured /tmp directory.
> > Check out the sticky bit.
> > 
> > STICKY DIRECTORIES
> >    When  the  sticky  bit  is  set on a directory, files in that
> >    directory may be unlinked or renamed only by the directory owner as
> >    well as by root or the  file  owner.  Without  the sticky  bit,
> >    anyone able to write to the directory can delete or rename files. 
> >    The sticky bit is commonly found on directories, such as /tmp, that
> >    are world-writable.
> > 
> > IOWs the sticky bit makes the 'unlink/replace' type attack fail.
> > 
> >>  Pipes are an interesting target.  Consider opening a pipe for an app
> >> (think: mysql-style /var/run pipes), unlinking the pipe, then creating
> >> a new one in its place.  Voila, instant man-in-the-middle attack.
> > 
> >> (I don't think mysql is vulnerable to this, but I'm not able to check right now.)
> > 
> > This would only be remotely possible, if you are already 'root' or the
> > user that 'mysql' runs as with a properly configured /var/run .
> > This is one reason why Debian based distributions now mount /var/run
> > and /var/lock on the tmpfs with basicly the following command:
> > 
> >  mount -t tmpfs /var/run "-o mode=0755"
> >   #run's owner and group is root
> >  mount -t tmpfs /var/lock "-o mode=1777"
> >   #lock has the same permissions as like /tmp
-- 