On Sun, Mar 01, 2009 at 10:47:03 -0700, John Brooks wrote: > Great idea! This should simplify things quite a lot when using control > connections. > > I'm surprised fchmod doesn't work, but I don't think using chmod() would be > a problem here. Another user very likely wouldn't have the permissions to > replace the socket file, and if they did, the chmod() call would then fail > as the tor user would not own the new file. If they were already running as > the tor user, they could do all sorts of other things and make it really a > moot point anyway. I don't see a way that another user could bother tor > using that race condition. The problem of fchmod not working is Linux-specific and seems to be brought up on LKML every few years, though there's never a response and nobody's sent a patch. The race condition could be exploited by hardlinking a file owned by the Tor user, which would then become world-writable. But this would only work if the attacker had write permission to the directory and the sticky bit was clear. -- Michael
Attachment:
signature.asc
Description: Digital signature