How is mkdir subject to a TOCTOU attack?

Asked Nov 26 '19 at 11:14

Active Nov 26 '19 at 20:22

Viewed 174 times

My answer here, resulted in this comment:

This could be subject to a TOCTOU¹ attack and needs to be developed to be correct.

The answer is in Rust, but here's some equivalent bash:

p=/home/roger/foo/bar/baz.txt
d=$(dirname $p)
mkdir -p $d
# ...and then (implied):
echo "Hello World" > $p

Where is the TOCTOU vulnerability in this? How can it be improved?

¹ Time Of Check - Time Of Use

edited Nov 26 '19 at 20:22

guntbert

asked Nov 26 '19 at 11:14

Roger Lipscombe

There is no [C]heck in your code at all and thus there is no [T]ime [O]f [C]heck. Which means that the time of the non-existent check cannot conflict with the time of use. Of course this does not mean that the code is safe if you create the directory in a place a potential attacker can write into since you don't make sure that the directory is owned and writable only by you. – Steffen Ullrich Nov 26 '19 at 11:43

0 Answers0