What's the secure way to change UNIX permissions on a harcoded file often?

Question

I'm writing a daemon that monitors something in the OS and flips execution permissions on a file in /run/ back and forth. The file has static contents and the file name is hardcoded in the daemon. I made the daemon run as root to make it able to write to /run/.

The daemon is supposed to be used on a large number of desktop Linux machines, so I want to make sure it's not exploitable. I'm not particularly concerned by DDoS attacks though because the daemon is not mission-critical. However, all the ways to make a file executable or not executable seem to have a security flaw.

Way #1: chmod() back and forth

Create the file and chmod() it back and forth. I'm not fond with the idea because if an attacker manages to replace the file with a symlink to something else, an arbitrary file or folder will be chmod'ed into readability and possibly executability. The attacker would need root permissions for that, though.

Way #2: remove the file and atomically recreate it with open()

Delete the the file first and then atomically create a new one with the correct permissions using open(path, O_CREAT|O_WRONLY|O_TRUNC|O_EXCL, permissions), then write contents to the stream and close it. I like this one more because the only thing that can be exploited is removing a file with a hardcoded name by substituting the target directory with a symlink to some other directory, and if you can overwrite root dirs you should not need tricking daemons into removing a file with a hardcoded filename anyway.
What happens if the file gets deleted while the daemon is writing to stream in this case?
Is using g_remove() okay or shall I use unlink() only and abort if it fails?

Am I missing something or I'm just being paranoid and way #2 is secure enough?

Answer 1

Your method #1 can be adapted to protect against symlink attacks:

1. lstat() the file path you want to chmod. Save the values of st_dev and st_ino in the struct stat that is returned. These two numbers uniquely identify the file on your system.
2. open() the file with O_RDONLY.
3. fstat() the open file descriptor. Check to make sure that st_dev and st_ino are the same as the ones you saved earlier. If they're different, you've just followed a symlink and should bail out.
4. fchmod() the file descriptor to set the execute bit. fchmod() is like chmod() except it operates on an open file descriptor.

If the attacker can't modify any ancestor directories of the directory containing this file, this is all you need to do. If the attacker can modify ancestor directories, then it's possible you followed a symlink on an earlier component of the path when you called lstat. Thus it gets a bit more complicated:

1. lstat() the first component of the path which might be a symlink. Save st_dev and st_ino.
2. chdir() into the next component of the path using a relative path.
3. stat() the current directory (.) and make sure the st_dev and st_ino are the same.
4. Repeat until you reach the directory containing the file.

When you've finally reached the directory containing the file, perform the original steps above, but make sure you call lstat() and open() on a relative path.

Answer 2

Be aware: setting an executable as non-executable doesn't prevent it from running if it is readable (not to mention the concept of copying the file).

$ cp /bin/ls ~/bin/ls
$ chmod a-x ~/bin/ls
$ /lib/x86_64-linux-gnu/ld-2.15.so ~/bin/ls
#Yup, that worked.

... though you can prevent that if the file isn't readable, which doesn't stop execution.

$ chmod a+x ~/bin/ls 
$ chmod a-r ~/bin/ls
$ ~/bin/ls
#Worked
$ /lib/x86_64-linux-gnu/ld-2.15.so ~/bin/ls 
/home/me/bin/ls: error while loading shared libraries: /home/me/bin/ls: cannot open shared object file: Permission denied

It could prevent a program from running as suid, but then the answer to that probably doesn't involve setting the execute bit.