[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: filesystem access security
|
From: |
Niels Möller |
|
Subject: |
Re: filesystem access security |
|
Date: |
29 Nov 2003 23:12:03 +0100 |
|
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 |
James Buchanan <jamesb.au@acm.org> writes:
> This requires that glibc always does a secure lookup, and then inspects
> the node to decide if it wants to resolve the translator or not. This
> adds a small cost to all cross-translator lookups, but cross-translator
> lookups are expensive already anyway.
I don't remember if this has been discussed already, but anyway: This
sounds like a race condition. I think the right thing to do is to
first open the node (using O_NOTRANS), examine it. If the translator
is to be followed, the node should not be opened again, instead one
needs a special function that follows the translator setting for the
opened node.
There's no such function in the current file interface, is it? One
design might be to have a general "reopen" mechanism that opens a file
with a new set of openflags (not all variants need to work, for
example opening a translater file without O_NOTRANS and later
"reopening" it with O_NOTRANS, which could mean to get the underlying
file, might not work).
For security reasons, this should probably not be enabled by default
(if you open a file read-only, and pass the handle to some other
process, you probably don't want the other process to be able to
reopen the file in read-write mode, or reopen it with a different
value for the O_NOTRANS flag). But this could just be one more open
flag, say O_ALLOW_REOPEN.
Then glibc could do soemthing like
f = open(name, mode | O_NOTRANS | O_ALLOW_REOPEN);
fstat(f, &st);
if (translator that should be followed)
f = reopen(f, mode) /* Follow translator */
else
f = reopen(f, mode | O_NOTRANS) /* Disable reopen */
Regards,
/Niels