This is the mail archive of the
mailing list for the Cygwin project.
Re: O_NOFOLLOW and safer chdir
On Dec 22 15:14, Eric Blake wrote:
> CVS coreutils now uses <sys/fcntl.h>'s O_NOFOLLOW, when
> available, to avoid a data race when changing directories while
> avoiding symlinks (necessary for some traversal algorithms). Normally,
> calling lstat() to prove something is a directory, followed by chdir(),
> is a security risk, since lstat() could see a directory, then the attacker
> replaces the directory with a symlink, so that the program then
> changes to the wrong directory. But on platforms like newer Linux
> where O_NOFOLLOW causes open() to fail when opening symlinks,
> the sequence open(), fstat(), fchdir(), close() avoids the race
> by proving that the target is still a directory and has not been
> replaced by a symlink at the last minute.
It would actually be trivial to implement, but I'm wondering that
coreutils can't do the same without O_NOFOLLOW. The sequence
lstat, open, fstat, lstat.st_ino == fstat.st_ino
should make pretty clear if the directory in the lstat call is still
the same directory in the open call. Am I missing something?
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html