On Fri, Oct 05, 2007 at 03:37:01PM -0400, James Carlson wrote: > Don Cragun writes: > > I'm still strongly opposed. If the path presented to the first > > *stat*() function is a symlink pointing to an autofs/nfs directory, the > > symlink can be changed between the *stat*() call and the opendir() call > > and this spoofing action cannot be reliably detected by the > > application. With AT_TRIGGER, this spoofing action can be caught every > > time it happens. > > Yes. However, that's actually the same state we are in right now > (with no fix at all), and the state we've been in since February 2005 > when CR 6198351 integrated and added the autofs-testing logic. It's a > hole that ought to be fixed, but it's a little less clear to me that > it's this project team's responsibility to do so.
This hole is not much of a hole for the autofs case because users don't normally get to make symlinks in autofs directories. That consideration does not apply here, so technically the change made for autofs did not introduce a security bug, but this change would. Nico --
