This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: O_NOFOLLOW and safer chdir


On Dec 22 15:14, Eric Blake wrote:
> CVS coreutils now uses <sys/fcntl.h>'s O_NOFOLLOW, when
> available, to avoid a data race when changing directories while
> avoiding symlinks (necessary for some traversal algorithms).  Normally,
> calling lstat() to prove something is a directory, followed by chdir(),
> is a security risk, since lstat() could see a directory, then the attacker
> replaces the directory with a symlink, so that the program then
> changes to the wrong directory.  But on platforms like newer Linux
> where O_NOFOLLOW causes open() to fail when opening symlinks,
> the sequence open(), fstat(), fchdir(), close() avoids the race
> by proving that the target is still a directory and has not been
> replaced by a symlink at the last minute.

It would actually be trivial to implement, but I'm wondering that
coreutils can't do the same without O_NOFOLLOW.  The sequence

 lstat, open, fstat, lstat.st_ino == fstat.st_ino

should make pretty clear if the directory in the lstat call is still
the same directory in the open call.  Am I missing something?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]