"Tom 'spot' Callaway" <tcallawa(a)redhat.com> writes:
> Someone could pre-make the build root in between the rm and
mkdir
> calls.
Erm, ok. In the buildsystem, this should never happen (hooray mock), but
when building on a multi-user system, I can see the remote possibility.
However, we're talking about someone performing an operation in a very
tiny gap.
No; should be trivial to exploit with:
$ create-big-load &
$ d=/var/tmp/foo-package-root-512
$ while test ! -e "$d"/bin/prog; do rm -rf "$d"; mkdir -m0777 -p
"$d"/bin; done; \
rm -f "$d/bin/prog"; cp -a my-backdoored-prog "$d/bin/prog"
[ the while-loop should be implemented in C ]
Enrico