Embedded Linux Hard Link Suddenly Created on a Root Directory?

sarmads1 · 07-17-2012, 07:01 PM

Hello
I work on an embedded linux, 2.6.10, and my storage media is flash NAND memory.

I am logged as usr1 over a machine that has NO ROOT log in.
I have a daemon that runs normally each 5 minutes, opens a config file, copies some parameters, Fopen-create's config.tmp file, pastes the parameters into it then then atomically calls
rename (the config.tmp file, into config file);

I am using the uni-std functions of GNU C and compile it as a live module owned by usr1.
rename() in C just renames whatever comes, and keeps NO trace of the original file.

Both config and config.tmp file are usr owned, created in a root directory, and the embedded system FORBIDS totally getting write permissions to that directory.

The code ran successfully over 3-4 years, over 100 machines.
Suddenly I found this on 1 machine only!
ls -l
drwxr-xr-x 4 root root 0 Jul 18 00:49 .
drwxr-xr-x 11 root root 0 Jan 1 1970 ..
-rw------- 2 usr1 users 442 Jul 18 03:44 config
-rw------- 2 usr1 users 442 Jul 18 03:44 config.tmp
other files here ....

As it is obvious, it is a root owned directory, and we CANNOT WRITE TO IT
The number 2 stands for a hard link between config and config.tmp files - which I NEVER did, and NOONE can create manually

This is Linux Security Compromising - creating a file in a read only directory.
Could it be a race condition with another daemon?

Could anyone tell me the internals of rename() function? does it at any moment create a hardlink then delete the old file in GNU?

Or could the Linux storage daemon over the flash memory be the root cause of security problem?

After 3-4 years experience, I am facing this security breach for the 1st time!
Thanks

ceyx · 07-17-2012, 10:27 PM

How old is the flash Nand memory ?

sarmads1 · 07-17-2012, 10:50 PM

Thanks for the reply
The unit I got this problem on is heavily functional for 6-7 months starting(from September 2011 till June 2012)
I am not sure about the "factory - shipping" process time - it is out of my knowledge - but it is supposed to be "new fabricated flash"

jschiwal · 07-17-2012, 11:06 PM

Could you add more information. From your description, the rename function should always fail, but you stated otherwise.
Please provide full path information in the ls command you gave. Where are the two files? In the root (/) directoy? Using a relative address in your description removes information. It sounds like the file config and config.tmp are created in the root directory (/) but you shouldn't be able to do that as usr1 ever.

Are you renaming from a root owned directory without usr1 write access, to a directory with usr1 write access, always producing an error?

From the rename 2 manpage:

Code:

If newpath already exists it will be atomically replaced (subject to a few conditions; see ERRORS  below),
       so that there is no point at which another process attempting to access newpath will find it missing.

One of the errors is "ENOMEM Insufficient kernel memory was available." If it is the kernel which provides the atomicity via a system call, and the kernel itself runs out of memory, you may have a file where the path portion of the name wasn't changed due to kernel failure.

The generic description for the rename system call has an additional line:

Code:

If newpath already exists it will be atomically replaced (subject to a few conditions; see ERRORS below), so that there is no point at which another process attempting to access newpath will find it missing.

If newpath exists but the operation fails for some reason rename() guarantees to leave an instance of newpath in place.

However, when overwriting there will probably be a window in which both oldpath and newpath refer to the file being renamed.

sarmads1 · 07-18-2012, 12:09 AM

1- I wonder why you suppose rename fails always?
Please on your linux try

touch oldname.txt
ln oldname.txt newname.txt (this is hard link not symlink)
Then compile and run the file on
http://www.cplusplus.com/reference/c...cstdio/rename/
You will see that the same files will remain as they are and no perror - I was surprised by this fact - if both file names are hardlinked, rename doesnt fail

2- Full path
IT IS NOT /
is on a mount drive actually - since my embedded system is on flash, we mount it as /mnt/sram/......
Both files are on the same directory /mnt/sram

ls /mnt/sram/ -l
drwxr-xr-x 4 root root 0 Jul 18 00:49 .
drwxr-xr-x 11 root root 0 Jan 1 1970 ..
-rw------- 2 usr1 users 442 Jul 18 03:44 config
-rw------- 2 usr1 users 442 Jul 18 03:44 config.tmp

3- My rename usage is childish from cplusplus.com
char *name ="config";
char *newname =strcat (name, ".tmp");
/* I do parsing and processing here*/
result= rename( name , newname );
if ( result != 0 ) perror (return -error from www-numi.fnal.gov/offline_software/srt_public_context/WebDocs/Errors/unix_system_errors.html);

About memory, normally I have plenty of memory onf my /mnt/sram/ - besides I checked the resources of the system, 10% cpu time, 33% memory utilization normal operation

BUT:
Could you refer to that maybe?:
ONLY at the time when my code failed - the hardlink was created - that time rename had NOMEM Linux Error??
This is only duplicate-able when I:
while (p) {p = (*char) malloc(10);} And this will leave only 10 bytes data memory for rename
rename here!

Actually I tried duplicating the rename failure, by infinite looping and renaming, but still I couldn't create the hard link on normal system resources

Please advise
thanks

orgcandman · 07-19-2012, 06:21 PM

Where does your filesystem image reside? By that, I mean what manufacturing uses to stamp the NAND. If the master image has stray config and config.tmp files, I wouldn't be surprised by your results.