X-Spam-Check-By: sourceware.org
Date: Thu, 22 Dec 2005 16:59:56 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: Cygwin List <cygwin AT cygwin DOT com>
Subject: Re: O_NOFOLLOW and safer chdir
Message-ID: <20051222155956.GA12452@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: Cygwin List <cygwin AT cygwin DOT com>
References: <122220051514 DOT 8964 DOT 43AAC2B9000D72C00000230422058891160A050E040D0C079D0A AT comcast DOT net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <122220051514.8964.43AAC2B9000D72C00000230422058891160A050E040D0C079D0A@comcast.net>
User-Agent: Mutt/1.4.2i
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Dec 22 15:14, Eric Blake wrote:
> CVS coreutils now uses <sys/fcntl.h>'s O_NOFOLLOW, when
> available, to avoid a data race when changing directories while
> avoiding symlinks (necessary for some traversal algorithms).  Normally,
> calling lstat() to prove something is a directory, followed by chdir(),
> is a security risk, since lstat() could see a directory, then the attacker
> replaces the directory with a symlink, so that the program then
> changes to the wrong directory.  But on platforms like newer Linux
> where O_NOFOLLOW causes open() to fail when opening symlinks,
> the sequence open(), fstat(), fchdir(), close() avoids the race
> by proving that the target is still a directory and has not been
> replaced by a symlink at the last minute.

It would actually be trivial to implement, but I'm wondering that
coreutils can't do the same without O_NOFOLLOW.  The sequence

 lstat, open, fstat, lstat.st_ino == fstat.st_ino

should make pretty clear if the directory in the lstat call is still
the same directory in the open call.  Am I missing something?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/