{"id":3045,"date":"2020-04-04T00:02:31","date_gmt":"2020-04-03T16:02:31","guid":{"rendered":"https:\/\/www.aoisnow.net\/blog\/?p=3045"},"modified":"2020-04-04T00:02:31","modified_gmt":"2020-04-03T16:02:31","slug":"tont-37233-%e5%bd%93%e4%ba%ba%e4%bb%ac%e8%a6%81%e5%b0%86%e5%ae%89%e5%85%a8%e6%bc%8f%e6%b4%9e%e4%bd%9c%e4%b8%ba%e5%8a%9f%e8%83%bd%e7%9a%84%e6%97%b6%e5%80%99%ef%bc%9a%e5%85%a8%e5%b1%80%e5%8f%af%e5%86%99","status":"publish","type":"post","link":"https:\/\/www.aoisnow.net\/blog\/archives\/3045","title":{"rendered":"TONT 37233 \u5f53\u4eba\u4eec\u8981\u5c06\u5b89\u5168\u6f0f\u6d1e\u4f5c\u4e3a\u529f\u80fd\u7684\u65f6\u5019\uff1a\u5168\u5c40\u53ef\u5199\u7684\u6587\u4ef6"},"content":{"rendered":"<p>\u539f\u6587\u94fe\u63a5\uff1a<a href=\"https:\/\/devblogs.microsoft.com\/oldnewthing\/20041122-00\/?p=37233\" target=\"_blank\" rel=\"noopener\">https:\/\/devblogs.microsoft.com\/oldnewthing\/20041122-00\/?p=37233<\/a><\/p>\n<p>If I had a nickel each time somebody asked for a feature that was a security hole\u2026<\/p>\n<p>\u5982\u679c\u6bcf\u5f53\u6709\u4eba\u8981\u6c42\u52a0\u4e00\u4e2a\u5b9e\u9645\u4e0a\u662f\u5b89\u5168\u6f0f\u6d1e\u7684\u529f\u80fd\uff0c\u6211\u5c31\u80fd\u5f97\u5230\u4e00\u4e2a\u954d\u5e01\u7684\u8bdd\u2026\u2026<\/p>\n<p>I\u2019d have a lot of nickels.<\/p>\n<p>\u90a3\u6211\u5e94\u8be5\u65e9\u5df2\u6512\u4e0b\u4e86\u5f88\u591a\u94b1\u3002<\/p>\n<p>For example, \u201cI want a file that all users can write to. My program will use it as a common database of goodies.\u201d<\/p>\n<p>\u4f8b\u5982\uff0c\u300e\u6211\u60f3\u8981\u4e00\u4e2a\u6587\u4ef6\uff0c\u5bf9\u6240\u6709\u7528\u6237\u53ef\u5199\uff0c\u6211\u7684\u7a0b\u5e8f\u4f1a\u7528\u5b83\u6765\u4f5c\u4e3a\u4e00\u4e2a\u5b58\u653e\u597d\u4e1c\u897f\u7684\u516c\u7528\u6570\u636e\u5e93\u3002\u300f<\/p>\n<p>This is a security hole. For a start, there\u2019s an obvious denial of service attack by having a user open the file in exclusive mode and never letting go. There\u2019s also a data tampering attack, where the user opens the file and write zeros all over it or merely alter the data in subtle ways. Your music index suddenly lost all its Britney Spears songs. (Then again, maybe that\u2019s a good thing. Sneakier would be to edit the index so that when somebody tries to play a Britney Spears song, they get Madonna instead.) [Minor typo fixed. 10am]<\/p>\n<p>\u8fd9\u5c31\u662f\u4e00\u4e2a\u5b89\u5168\u6f0f\u6d1e\u3002\u9996\u5148\uff0c\u8fd9\u662f\u4e00\u4e2a\u5f88\u660e\u663e\u7684\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u70b9\uff0c\u67d0\u7528\u6237\u4ee5\u72ec\u5360\u65b9\u5f0f\u6253\u5f00\u5b83\uff0c\u7136\u540e\u6c38\u8fdc\u4e0d\u5173\u95ed\u5c31\u53ef\u4ee5\u4e86\u3002\u6b64\u5916\u8fd9\u8fd8\u662f\u4e00\u4e2a\u6570\u636e\u7be1\u6539\u6f0f\u6d1e\uff0c\u7528\u6237\u53ef\u4ee5\u6253\u5f00\u6587\u4ef6\uff0c\u7136\u540e\u5c06\u6570\u636e\u75280\u5168\u90e8\u8986\u5199\uff0c\u6216\u8005\u5bf9\u6570\u636e\u505a\u4e00\u70b9\u7ec6\u5fae\u7684\u53d8\u52a8\uff0c\u4f60\u7684\u97f3\u4e50\u5e93\u91cc\u6240\u6709 Britney Spears \u7684\u6b4c\u5c31\u7a81\u7136\u5168\u90e8\u6d88\u5931\u4e86\u3002\uff08\u8bf4\u5b9e\u8bdd\uff0c\u8fd9\u6837\u90fd\u8fd8\u7b97\u597d\u7684\uff0c\u66f4\u52a0\u9b3c\u9b3c\u795f\u795f\u7684\u4eba\u4f1a\u4fee\u6539\u7d22\u5f15\uff0c\u8fd9\u6837\u7b49\u4e0b\u6b21\u6709\u4eba\u60f3\u64ad Britney Spears \u7684\u6b4c\u65f6\uff0c\u653e\u51fa\u6765\u7684\u5374\u4f1a\u662f Madonna \u7684\u4e86\u3002\uff09<\/p>\n<p>A colleague from the security team pointed out another problem with this design: Disk quotas. Whoever created the file is charged for the disk space consumed by that file, even if most of the entries in the file belong to someone else. If you create the file in your Setup program, then it will most likely be owned by an administrator. Administrators are exempt from quotas, which means that everybody can party their data into the file for free! (Use alternate data streams so you can store your data there without affecting normal users of the file.) And if the file is on the system partition (which it probably is), then users can try to fill up all the available disk space and crash the system.<\/p>\n<p>\u5b89\u5168\u56e2\u961f\u7684\u4e00\u4f4d\u540c\u4e8b\u8fd8\u6307\u51fa\u4e86\u8fd9\u79cd\u8bbe\u8ba1\u5236\u9020\u51fa\u7684\u53e6\u4e00\u4e2a\u9ebb\u70e6\uff1a\u78c1\u76d8\u914d\u989d\u3002\u8c01\u521b\u5efa\u4e86\u8fd9\u4e2a\u6587\u4ef6\uff0c\u8c01\u5c31\u4e3a\u6b64\u4ed8\u51fa\u4e86\u4e0e\u6587\u4ef6\u5927\u5c0f\u7b49\u540c\u81ea\u5df1\u7684\u78c1\u76d8\u914d\u989d\uff0c\u5373\u4fbf\u6587\u4ef6\u5185\u5bb9\u4e2d\u5927\u591a\u6570\u7684\u6761\u76ee\u90fd\u5c5e\u4e8e\u5176\u4ed6\u4eba\u3002\u5982\u679c\u8fd9\u4e2a\u7a0b\u5e8f\u662f\u5728\u4f60\u7684\u5b89\u88c5\u7a0b\u5e8f\u4e2d\u521b\u5efa\u7684\uff0c\u90a3\u4e48\u8fd9\u4e2a\u6587\u4ef6\u7684\u6240\u6709\u4eba\u5927\u6982\u7387\u4f1a\u662f\u7cfb\u7edf\u7ba1\u7406\u5458\uff08Administrator\uff09\u3002\u7cfb\u7edf\u7ba1\u7406\u5458\u662f\u4ece\u78c1\u76d8\u914d\u989d\u7ba1\u5236\u4e2d\u8c41\u514d\u7684\uff0c\u610f\u5473\u7740\u4efb\u4f55\u4eba\u90fd\u53ef\u4ee5\u5c06\u4efb\u4f55\u6570\u636e\u5199\u5230\u8fd9\u4e2a\u6587\u4ef6\u91cc\uff0c\u800c\u4e14\u8fd8\u4e0d\u53d7\u914d\u989d\u7684\u9650\u5236\u3002\uff08\u5982\u679c\u4f7f\u7528\u4ea4\u6362\u6570\u636e\u6d41\uff08\u8bd1\u6ce8\uff1aalternate data stream\uff0c\u4e2a\u4eba\u8ba4\u4e3a\u8bd1\u4e3a\u300e\u5907\u7528\u6570\u636e\u6d41\u300f\u66f4\u4f73\uff0c\u6b64\u5904\u91c7\u7528\u901a\u884c\u8bd1\u6cd5\uff09\u7684\u65b9\u5f0f\uff0c\u4f60\u8fd8\u53ef\u4ee5\u5c06\u81ea\u5df1\u7684\u6570\u636e\u5b58\u8fdb\u4ea4\u6362\u6570\u636e\u6d41\u91cc\uff0c\u800c\u4e0d\u4f1a\u5f71\u54cd\u5230\u5176\u4ed6\u4eba\u7684\u6570\u636e\uff09\u3002\u5982\u679c\u8fd9\u4e2a\u6587\u4ef6\u5b58\u653e\u5728\u7cfb\u7edf\u5206\u533a\u4e2d\uff08\u5927\u6982\u7387\u4f1a\u662f\u8fd9\u6837\uff09\uff0c\u90a3\u4e48\u7528\u6237\u5c31\u53ef\u4ee5\u5c1d\u8bd5\u8017\u5c3d\u5269\u4f59\u7684\u78c1\u76d8\u7a7a\u95f4\uff0c\u8ba9\u7cfb\u7edf\u5d29\u6e83\u3002<\/p>\n<p>If you have a shared resource that you want to let people mess with, one way to do this is with a service. Users do not access the resource directly but rather go through the service. The service decides what the user is allowed to do with the resource. Maybe some users are permitted only to increment the \u201cnumber of times played\u201d counter, while others are allowed to edit the song titles. If a user is hogging the resource, the server might refuse connections for a while from that user.<\/p>\n<p>\u5982\u679c\u4f60\u6709\u4e00\u9879\u5171\u4eab\u8d44\u6e90\u60f3\u653e\u5f00\u7ed9\u7528\u6237\u6298\u817e\uff0c\u4e00\u79cd\u6bd4\u8f83\u53ef\u884c\u7684\u505a\u6cd5\u662f\u901a\u8fc7\u670d\u52a1\u3002\u7528\u6237\u9700\u8981\u901a\u8fc7\u670d\u52a1\u800c\u4e0d\u662f\u76f4\u63a5\u53bb\u8bbf\u95ee\u8fd9\u9879\u8d44\u6e90\uff0c\u800c\u670d\u52a1\u51b3\u5b9a\u4e86\u5141\u8bb8\u7528\u6237\u5bf9\u8fd9\u9879\u8d44\u6e90\u7684\u6240\u4f5c\u6240\u4e3a\u3002\u4f8b\u5982\uff0c\u4e00\u4e9b\u7528\u6237\u53ea\u6709\u6743\u9650\u589e\u52a0\u300e\u5df2\u64ad\u653e\u6b21\u6570\u300f\u7684\u8ba1\u6570\u5668\uff0c\u800c\u53e6\u4e00\u4e9b\u7528\u6237\u5219\u53ef\u4ee5\u7f16\u8f91\u6b4c\u66f2\u7684\u6807\u9898\u7b49\u7b49\u3002\u5982\u679c\u67d0\u4e2a\u7528\u6237\u5bf9\u8fd9\u9879\u8d44\u6e90\u7684\u8bbf\u95ee\u8fc7\u4e8e\u8d2a\u5a6a\uff0c\u670d\u52a1\u5668\u53ef\u4ee5\u51b3\u5b9a\u6682\u505c\u5bf9\u8fd9\u4e2a\u7528\u6237\u63d0\u4f9b\u670d\u52a1\u3002<\/p>\n<p>A file doesn\u2019t give you this degree of control over what people can do with it. If you grant write permission to a user, then that user can write to any part of the file. The user can open the file in exclusive mode and prevent anybody else from accessing it. The user can put fake data in the file in an attempt to confuse the other users on the machine.<\/p>\n<p>\u5355\u4e00\u4e00\u4e2a\u6587\u4ef6\u65e0\u6cd5\u7ed9\u4e88\u8fd9\u79cd\u7b49\u7ea7\u7684\u63a7\u5236\uff0c\u6765\u7ba1\u5236\u7528\u6237\u53ef\u4ee5\u5bf9\u5176\u8fdb\u884c\u7684\u64cd\u4f5c\u3002\u5982\u679c\u4f60\u6388\u4e88\u7528\u6237\u5199\u5165\u7684\u6743\u9650\uff0c\u90a3\u7528\u6237\u5c31\u53ef\u4ee5\u5bf9\u6587\u4ef6\u7684\u4efb\u4f55\u90e8\u5206\u8fdb\u884c\u5199\u5165\u3002\u7528\u6237\u53ef\u4ee5\u4ee5\u72ec\u5360\u65b9\u5f0f\u6253\u5f00\u8fd9\u4e2a\u6587\u4ef6\uff0c\u4ece\u800c\u963b\u6b62\u5176\u4ed6\u4eba\u5bf9\u5176\u7684\u8bbf\u95ee\u3002\u7528\u6237\u751a\u81f3\u53ef\u4ee5\u5728\u6587\u4ef6\u4e2d\u5199\u5165\u4f2a\u9020\u7684\u6570\u636e\uff0c\u501f\u6b64\u4f7f\u540c\u4e00\u673a\u5668\u4e0a\u7684\u5176\u4ed6\u7528\u6237\u611f\u5230\u56f0\u60d1\u3002<\/p>\n<p>In other words, the user can make a change to the system that impacts how other users can use the system. This sort of \u201cimpact other users\u201d behavior is something that is reserved for administrators. An unprivileged user should be allowed only to mess up his own life; he shouldn\u2019t be allowed to mess up other users\u2019 lives.<\/p>\n<p>\u6362\u53e5\u8bdd\u8bf4\uff0c\u67d0\u4e2a\u7528\u6237\u53ef\u4ee5\u5bf9\u7cfb\u7edf\u505a\u51fa\u53d8\u66f4\uff0c\u800c\u8fd9\u4e9b\u53d8\u66f4\u4f1a\u5f71\u54cd\u5176\u4ed6\u7528\u6237\u5bf9\u7cfb\u7edf\u7684\u4f7f\u7528\u3002\u8fd9\u7c7b\u300e\u5f71\u54cd\u5176\u4ed6\u7528\u6237\u300f\u7684\u884c\u4e3a\u662f\u4fdd\u7559\u7ed9\u7cfb\u7edf\u7ba1\u7406\u5458\u7684\u6743\u529b\u3002\u6ca1\u6709\u7279\u6743\u7684\u7528\u6237\u5e94\u5f53\u53ea\u88ab\u5141\u8bb8\u5bf9\u5176\u81ea\u5df1\u7684\u751f\u6d3b\u778e\u6298\u817e\uff0c\u800c\u4e0d\u5e94\u88ab\u5141\u8bb8\u53bb\u6298\u817e\u5176\u4ed6\u7528\u6237\u7684\u751f\u6d3b\u3002<\/p>\n<p>Armed with this information, perhaps now you can answer this question posted to comp.os.ms-windows.programmer a few months ago.<\/p>\n<p>\u4e86\u89e3\u4e86\u8fd9\u4e00\u70b9\u4e4b\u540e\uff0c\u5927\u6982\u73b0\u5728\u4f60\u5c31\u6709\u8d44\u683c\u53bb\u56de\u7b54\u8fd9\u4e2a\u51e0\u4e2a\u6708\u524d\u8d34\u5728comp.os.ms-windows.programmer\u4e0a\u7684\u95ee\u9898\u4e86\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/devblogs.microsoft.com\/oldnewthing\/2004112 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-3045","post","type-post","status-publish","format-standard","hentry","category-tont_history"],"_links":{"self":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/posts\/3045","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/comments?post=3045"}],"version-history":[{"count":0,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/posts\/3045\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/media?parent=3045"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/categories?post=3045"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aoisnow.net\/blog\/wp-json\/wp\/v2\/tags?post=3045"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}