Permission Race Condition During Resource Copy |
Compound Element ID: 689 (Compound Element Base: Composite) | Status: Draft |
Description Summary
Reference | Description |
---|---|
CVE-2002-0760 | Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified. |
CVE-2005-2174 | Product inserts a new object into database before setting the object's permissions, introducing a race condition. |
CVE-2006-5214 | error file has weak permissions before a chmod is performed. |
CVE-2005-2475 | Archive permissions issue using hard link. |
CVE-2003-0265 | database product creates files world-writable before initializing the setuid bits, leading to modification of executables. |
This is a general issue, although few subtypes are currently known. The most common examples occur in file archive extraction, in which the product begins the extraction with insecure default permissions, then only sets the final permissions (as specified in the archive) once the copy is complete. The larger the archive, the larger the timing window for the race condition. This weakness has also occurred in some operating system utilities that perform copies of deeply nested directories containing a large number of files. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
Requires | ![]() | 362 | Race Condition | Research Concepts1000 |
Requires | ![]() | 732 | Incorrect Permission Assignment for Critical Resource | Research Concepts1000 |
ChildOf | ![]() | 275 | Permission Issues | Development Concepts (primary)699 |
ChildOf | ![]() | 668 | Exposure of Resource to Wrong Sphere | Research Concepts (primary)1000 |
Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete. |