X-Spam-Check-By: sourceware.org
From: ericblake AT comcast DOT net (Eric Blake)
To: Cygwin List <cygwin AT cygwin DOT com>
Subject: O_NOFOLLOW and safer chdir
Date: Thu, 22 Dec 2005 15:14:01 +0000
Message-Id: <122220051514.8964.43AAC2B9000D72C00000230422058891160A050E040D0C079D0A@comcast.net>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

CVS coreutils now uses <sys/fcntl.h>'s O_NOFOLLOW, when
available, to avoid a data race when changing directories while
avoiding symlinks (necessary for some traversal algorithms).  Normally,
calling lstat() to prove something is a directory, followed by chdir(),
is a security risk, since lstat() could see a directory, then the attacker
replaces the directory with a symlink, so that the program then
changes to the wrong directory.  But on platforms like newer Linux
where O_NOFOLLOW causes open() to fail when opening symlinks,
the sequence open(), fstat(), fchdir(), close() avoids the race
by proving that the target is still a directory and has not been
replaced by a symlink at the last minute.

It seems like it might be easy to add an O_NOFOLLOW flag to
cygwin (perhaps post-1.5.19), especially since you recently added
O_*SYNC and O_DIRECT.  But I don't have copyright papers
in place, so for now this is just a feature request that you are
free to ignore, until someone provides an actual patch.

--
Eric Blake

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/