Menu
I'm writing some highly portable security code. I'm trying to avoid security flaw in a utility program such as this one found in some versions of sudo:
... it is possible to become the super user by running
sudo -kand then resetting the system clock to 01-01-1970.
This happens because sudo relies on absolute (aka calendar) time to determine whether or not access has timed out.
My idea is to use CLOCK_MONOTONIC defined in time.h.
From the POSIX standard,
[CLOCK_MONOTONIC is] defined as a clock whose value cannot be set via clock_settime() and which cannot have backward clock jumps. The maximum possible clock jump shall be implementation-defined.
Problem is, on many (most?) systems, CLOCK_MONOTONIC resets on reboot. Is there any guaranteed POSIX-compliant way to determine whether or not the system has rebooted since a program last ran?
One (bad) way is to check whether or not the stored clock value is greater than the current clock value, however this just shifts the problem. On systems where CLOCK_MONOTONIC resets on reboot, there could be a short window of length TIMEOUT where access would be permitted.
What am I missing that would avoid this problem?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With