Re: bug in chdir-safer

[Eric Blake]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Jim Meyering on 12/23/2005 10:02 AM:
> int
> chdir_no_follow (char const *dir)
> {
>  int fail = -1;
>  struct stat sb;
>  struct stat sb_init;
>  int saved_errno = 0;
>  int fd;
> 
>  bool open_dereferences_symlink = ! O_NOFOLLOW;
> 
>  /* If open follows symlinks, lstat DIR first to ensure that it is
>     a directory and to get its device and inode numbers.  */
>  if (open_dereferences_symlink
>      && (lstat (dir, &sb_init) != 0 || ! S_ISDIR (sb_init.st_mode)))
>    return fail;

Don't you want to set errno=ELOOP here?

> 
>  fd = open (dir, O_NOFOLLOW | O_RDONLY | O_NDELAY);
> 
>  if (0 <= fd
>      && fstat (fd, &sb) == 0
>      /* If DIR is a different directory, then someone is trying to do
>      something nasty.  However, the risk of
>      such an attack is so low that it isn't worth a special diagnostic.
>      Simply skip the fchdir and set errno (to the same value that open
>      uses for symlinks with O_NOFOLLOW), so that the caller can
>      report the failure.  */
>      && ( ! open_dereferences_symlink || SAME_INODE (sb_init, sb)
>       || ((errno = ELOOP), 0))
>      && fchdir (fd) == 0)
>    {
>      fail = 0;
>    }
>  else
>    {
>      saved_errno = errno;
>    }
> 
>  if (0 < fd)
>    close (fd); /* Ignore any failure.  */
> 
>  errno = saved_errno;
>  return fail;
> }
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDrVzg84KuGfSFAYARAnPBAKC6jRAaRO1DBc449tQ2Iq/0+iAw4ACgm+Nd
3/mlRn2PNBLt0n8PN5kcXmQ=
=R/5X
-----END PGP SIGNATURE-----