This is the mail archive of the cygwin-patches mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH v2 0/3] Support opening a symlink with O_PATH | O_NOFOLLOW

From: Ken Brown <kbrown at cornell dot edu>
To: "cygwin-patches at cygwin dot com" <cygwin-patches at cygwin dot com>
Date: Mon, 13 Jan 2020 18:50:05 +0000
Subject: Re: [PATCH v2 0/3] Support opening a symlink with O_PATH | O_NOFOLLOW
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cornell.edu; dmarc=pass action=none header.from=cornell.edu; dkim=pass header.d=cornell.edu; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g/wrX+pggYJ4RaU39eU80hT3SPArWupGhgcn1abaqF8=; b=iRL7wL8zSbw3MiDUClW7jAZ1QfJCz0bQPhwkxMZrsbqI9MWHvvxg7TaeEbnbnGGVXRLzY5NRdY2ykL74hNEYfW4+pGfSyJcvLDzQQN8xachH57JNMHXqYWxEaGoWxW170O+GvnF3TaGX6WvD8K/YXIaAZLMLVqBIQ3OXejN5CRm3bgEeTFZQG4Gbr2Gpna1VK2N2M3Vf3JDG04F4iVOncRcqotE3izj+skfBZx8VX46wn2l2ZnFtcRg5ptmdrz+biNQlrzC54Nbkvyp4pwYSrAQUeFa6xhdrRvZSEJZY/089xUw2uyxSqalVfPQuDVhS009ixLPCsSbqkh4mPRq1Eg==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hcN3kZkZrNXjTrT428gFpOybPBN5NWkFLx8Jd6iL60BLQHhpnK6mbZRIpy6V2tCRBZbXqucUa648NDH+SdRICJcHlstkeMdaqsC7ATSt3QzlgHthNoDdZ+CmSZeM676eWp9gBzVegs2mLI559+MmYv5WSYezJUE7sCKlhBg7kYBPGSXx/lT0AsXCSkew4MZ7bXGIpq3oULdx1469V2n3mJaJQQmu42Tpcpqz+tU9jU7odP+DDIKsm/aaKIKeq191M61yOntwyQCJJJDZtvG8CRTsmf7cWjcvgkTroshS4PdPwyTZaDKYsbcGomIvJBtCDG5/5MAHMNCqDNZc2u2jbg==
References: <20191229175637.1050-1-kbrown@cornell.edu> <20200113152809.GE5858@calimero.vinschen.de> <9f83d272-2dad-f652-d0c8-f3eb3b425ac2@cornell.edu> <20200113183430.GR5858@calimero.vinschen.de> <20200113183952.GS5858@calimero.vinschen.de>

On 1/13/2020 1:39 PM, Corinna Vinschen wrote:
> On Jan 13 19:34, Corinna Vinschen wrote:
>> On Jan 13 16:53, Ken Brown wrote:
>>> On 1/13/2020 10:28 AM, Corinna Vinschen wrote:
>>>> On Dec 29 17:56, Ken Brown wrote:
>>>>> [...]
>>>>> Note: The man page mentions fchownat and linkat also.  linkat already
>>>>> supports the AT_EMPTY_PATH flag, so nothing needs to be done.  But I
>>>>> don't understand how this could work for fchownat, because fchown
>>>>> fails with EBADF if its fd argument was opened with O_PATH.  So I
>>>>> haven't touched fchownat.
>>>>
>>>> It was never supposed to work that way.  We can make fchownat work
>>>> with AT_EMPTY_PATH, but using it on a file opened with O_PATH
>>>> contradicts the Linux open(2) man page, afaics:
>>>>
>>>>    O_PATH (since Linux 2.6.39)
>>>>     Obtain a file descriptor that can be used for two  purposes:  to
>>>>     indicate a location in the filesystem tree and to perform opera‐
>>>>     tions that act purely at the file descriptor  level.   The  file
>>>>     itself  is not opened, and other file operations (e.g., read(2),
>>>>     write(2), fchmod(2), fchown(2), fgetxattr(2), ioctl(2), mmap(2))
>>>>                          ^^^^^^^^^
>>>>     fail with the error EBADF.
>>>>     ^^^^^^^^^           ^^^^^
>>>>
>>>> That'd from the current F31 man pages.
>>>>
>>>>> Am I missing something?
>>>>
>>>> Good question.  Let me ask in return, did *I* now miss something?
>>>
>>> I don't think so.  I think we agree, although maybe I didn't express myself
>>> clearly enough for that to be obvious.  What confused me was the following
>>> paragraph further down in the open(2) man page (still discussing O_PATH):
>>>
>>>     If pathname is a symbolic link and the O_NOFOLLOW flag is also
>>>     specified, then the call returns a file descriptor referring
>>>     to the symbolic link.  This file descriptor can be used as the
>>>     dirfd argument in calls to fchownat(2), fstatat(2), linkat(2),
>>>                                ^^^^^^^^^^^
>>>     and readlinkat(2) with an empty pathname to have the calls
>>>     operate on the symbolic link.
>>
>> That's the part I missed, apparently.  Implementing fchownat like this
>> may be a bit upside down.  The problem is that open(O_PATH) opens the
>> file with query_read_attributes (aka READ_CONTROL | FILE_READ_ATTRIBUTES),
>> to make sure the calls mentioned in the snippet I pasted don't succeed.
>>
>> If fchownat is supposed to work on a symlink like this, the easiest
>> approach may be checking for this scenario in fchownat and calling
>> lchown on the pathname instead.  Or something along these lines.
> 
> The alternative would be to open the sylink with more permissions, i.e.,
> query_write_control, aka READ_CONTROL | WRITE_OWNER | WRITE_DAC |
> FILE_WRITE_ATTRIBUTES.  I'm just hesitant to open up the descriptor
> like this.  It probably allows too many actions on the descriptor
> from user space...

OK, I'll follow your first suggestion, then, after verifying that fchownat 
really does work on a symlink opened this way on Linux.  I guess I was 
misinterpreting the man page.

Ken

References:
- Re: [PATCH v2 0/3] Support opening a symlink with O_PATH | O_NOFOLLOW
  - From: Corinna Vinschen
- Re: [PATCH v2 0/3] Support opening a symlink with O_PATH | O_NOFOLLOW
  - From: Ken Brown
- Re: [PATCH v2 0/3] Support opening a symlink with O_PATH | O_NOFOLLOW
  - From: Corinna Vinschen
- Re: [PATCH v2 0/3] Support opening a symlink with O_PATH | O_NOFOLLOW
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]