[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TOCTTOU race (was: Potential security weakness in Guix services)
From: |
Bengt Richter |
Subject: |
Re: TOCTTOU race (was: Potential security weakness in Guix services) |
Date: |
Sun, 14 Feb 2021 18:19:05 +0100 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
Hi,
On +2021-02-14 13:29:29 +0100, Maxime Devos wrote:
> On Sat, 2021-02-06 at 22:26 +0100, Ludovic Courtès wrote:
> >
> > [...]
> > I understand the TOCTTOU race. However, activation code runs in two
> > situations: when booting the system (before shepherd takes over), and
> > upon ‘guix system reconfigure’ completion.
> >
Until we have a guix jargon file and a
guix gloss SEARCHARGS ...
convenience command, it is nice towards noobs to spell out
an abbreviation or acronym on first use ;-)
--8<---------------cut here---------------start------------->8---
Time-of-check to time-of-use
From Wikipedia, the free encyclopedia
(Redirected from TOCTTOU)
Jump to navigation Jump to search
In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU
or TOC/TOU) is a class of software bugs caused by a race condition
involving the checking of the state of a part of a system (such as a
security credential) and the use of the results of that check.
TOCTOU race conditions are common in Unix between operations on the
file system,^[1] but can occur in other contexts, including local
sockets and improper use of database transactions. In the early 1990s,
the mail utility of BSD 4.3 UNIX had an exploitable race condition for
temporary files because it used the mktemp()^[2] function.^[3] Early
versions of OpenSSH had an exploitable race condition for Unix domain
sockets.^[4] They remain a problem in modern systems; as of 2019, a
TOCTOU race condition in Docker allows root access to the filesystem of
the host platform.^[5]
[ ]
--8<---------------cut here---------------end--------------->8---
[...snip...]
--
Regards,
Bengt Richter
- Re: Potential security weakness in Guix services, (continued)
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/02
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/02
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/05
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/05
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/05
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/06
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/06
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/10
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/06
- TOCTTOU race (was: Potential security weakness in Guix services), Maxime Devos, 2021/02/14
- Re: TOCTTOU race (was: Potential security weakness in Guix services),
Bengt Richter <=
- Re: TOCTTOU race, Ludovic Courtès, 2021/02/18
- Re: TOCTTOU race, Maxime Devos, 2021/02/19
- Re: TOCTTOU race, Ludovic Courtès, 2021/02/22
- Re: TOCTTOU race, Maxime Devos, 2021/02/22
- Re: TOCTTOU race, Ludovic Courtès, 2021/02/23
- Re: TOCTTOU race, Maxime Devos, 2021/02/27
- Re: Potential security weakness in Guix services, Christopher Lemmer Webber, 2021/02/10