From 22b193328754701c37942f4776116ada880efaef Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 18 Jun 1998 12:17:23 +0000 Subject: [PATCH] fixed a race condition in rsync that opened a security hole. The temporary files were being created with the same permissions as the original file. So if the file was setuid but not owned by the user doing the transfer then there was a window of opportunity for a malicious user to execute it with the wrong permissions while it was being transferred. Thanks to snabb@epipe.fi for pointing this out. --- rsync.c | 12 ++++++++++-- rsync.h | 3 +++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/rsync.c b/rsync.c index 1ec4c77d..8e7b74c9 100644 --- a/rsync.c +++ b/rsync.c @@ -886,10 +886,18 @@ int recv_files(int f_in,struct file_list *flist,char *local_name,int f_gen) continue; } - fd2 = do_open(fnametmp,O_WRONLY|O_CREAT|O_EXCL,file->mode); + /* we initially set the perms without the + setuid/setgid bits to ensure that there is no race + condition. They are then correctly updated after + the lchown. Thanks to snabb@epipe.fi for pointing + this out */ + fd2 = do_open(fnametmp,O_WRONLY|O_CREAT|O_EXCL, + file->mode & ACCESSPERMS); + if (fd2 == -1 && relative_paths && errno == ENOENT && create_directory_path(fnametmp) == 0) { - fd2 = do_open(fnametmp,O_WRONLY|O_CREAT|O_EXCL,file->mode); + fd2 = do_open(fnametmp,O_WRONLY|O_CREAT|O_EXCL, + file->mode & ACCESSPERMS); } if (fd2 == -1) { rprintf(FERROR,"open %s : %s\n",fnametmp,strerror(errno)); diff --git a/rsync.h b/rsync.h index 345144d5..deb20a23 100644 --- a/rsync.h +++ b/rsync.h @@ -437,3 +437,6 @@ extern int errno; #define IS_DEVICE(mode) (S_ISCHR(mode) || S_ISBLK(mode) || S_ISSOCK(mode) || S_ISFIFO(mode)) +#ifndef ACCESSPERMS +#define ACCESSPERMS 0777 +#endif -- 2.34.1