>From: James Carlson <james.d.carlson at sun.com> >Subject: Re: Add S_IFTRIGGER to st_mode [PSARC/2007/563 FastTrack timeout > >Tom Haynes writes: >> The issue here is that by the time we get to the fstatat() call, the >> mount has already >> occurred. It isn't just the opendir() call which forces the underlying >> vnops to trigger >> the mount. Whatever call we make to get our hands on the file descriptor >> will >> force the mount to occur. > >The idea was to have the very first status check of the file be >fstatat(), using the 'fd' parameter set to AT_FDCWD, and the 'path' >presented to fstatat() would be the one you're just about to use for >opendir(). > >Then you can pass in the new AT_TRIGGER (or whatever you want to call >it; prepend with "_" if you want to keep it private until the >standards organizations can act), and fstatat() can trigger the >automount if needed before reading and returning the stat structure. > >I view this as a security improvement, as it brings the >stat-opendir-fstat sequence into line for the special case of >autofs/nfs.
Yes. > >Your proposal is roughly equivalent to the current code. The current >code just does a string compare to see if the node is autofs/nfs, and >the fix you've proposed is to add a flag that has exactly equivalent >semantics and simply avoids the ugly string compares. > >Thus, while I see that your flag is indeed an improvement over the >current code (it makes the existing test much cleaner), and I'm not >opposed to it on those grounds, I just think it could be better. The >only question I have is whether AT_TRIGGER is too hard to implement. >I can't answer that question, because I don't know this code well. >I'd like to know from you (or from any expert on the code in question) >whether this is a reasonable possibility. I'm still strongly opposed. If the path presented to the first *stat*() function is a symlink pointing to an autofs/nfs directory, the symlink can be changed between the *stat*() call and the opendir() call and this spoofing action cannot be reliably detected by the application. With AT_TRIGGER, this spoofing action can be caught every time it happens. - Don > >If it's not, then I'm fine with your original change plus an RFE for >the stat-with-trigger feature, because I think it's a cleaner way to >go. > >-- >James Carlson, Solaris Networking <james.d.carlson at sun.com> >Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 >MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
