Tom Haynes writes: > James Carlson wrote: > > > > The part that tripped me up here was the double stat(). The actual > > code seems to use a "stat-opendir-fstat-fstat" pattern, where that > > first fstat is the "new" one, and is actually there just to dummy out > > the results from the second one. (As a code review comment, it looks > > like this dummying-out could be done by way of a boolean_t rather than > > calling fstat() an extra time merely to overwrite &statb.) > > > > > > Hmm, with the fstat() as show in the code, I'd agree.
OK, then at least we're in sync there. > But what I'm proposing is to redo the stat() and still do the security > check. What if the directory > had been moved? With autofs, this is very unlikely. With nfs, it can > happen. My intent is to > provide a mechanism to detect such edge conditions. In that case, I don't follow. What security problem can you detect by doing a stat() call _after_ having opened a file system node of any sort? Can you provide the details of a scenario in which some sort of timing-based attack is caught by this fix? Perhaps we're getting a bit too close to the point of design or code review instead of architecture, but other than simply disabling the security check, I don't see how the new feature contributes towards additional security. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
