Wikipedia

Time-of-check to time-of-use: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
caused by a race condition involving
more re Docker TOCTOU bug
Line 4:
 
TOCTOU race conditions are common in [[Unix]] between operations on the [[File system#Metadata|file system]],<ref>{{Cite web|url=https://www.usenix.org/conference/fast-05/tocttou-vulnerabilities-unix-style-file-systems-anatomical-study|title=TOCTTOU Vulnerabilities in UNIX-Style File Systems: An Anatomical Study|last=Wei|first=Jinpeng|last2=Pu|first2=Calton|date=|website=www.usenix.org|archive-date=|dead-url=|access-date=2019-01-14}}</ref> but can occur in other contexts, including local [[Unix ___domain socket|sockets]] and improper use of [[database transaction]]s. In the early 1990s, the mail utility of BSD 4.3 UNIX had an [[Exploit (computer security)|exploitable]] race condition for temporary files because it used the [[C_standard_library#Threading_problems,_vulnerability_to_race_conditions|mktemp() C library function]].<ref>{{cite web |author=Shangde Zhou(周尚德) |date=1991-10-01 |title=A Security Loophole in Unix |url=http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html |deadurl=yes |archiveurl=https://archive.is/20130116041403/http://cdblp.cn/paper/UNIX%E7%9A%84%E4%B8%80%E4%B8%AA%E6%BC%8F%E6%B4%9E/94334.html |archivedate=2013-01-16 |df= }}</ref>
Early versions of [[OpenSSH]] had an exploitable race condition for [[Unix ___domain sockets]].<ref>{{cite web |last=Acheson |first=Steve |date=1999-11-04 |title=The Secure Shell (SSH) Frequently Asked Questions |url=http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html |deadurl=yes |archiveurl=https://web.archive.org/web/20170213004928/http://www.employees.org/~satch/ssh/faq/TheWholeSSHFAQ.html |archivedate=2017-02-13 |df= }}</ref> They remain a problem in modern systems; as of 2019, a TOCTOU race condition in [[Docker (software)|Docker]] allows root access to the filesystem of the host platform.<ref>{{Cite web|url=https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system|title=Docker Bug Allows Root Access to Host File System|website=Decipher|language=en|access-date=2019-05-29}}</ref>
 
== Examples ==
Retrieved from "https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use"