Alexander Viro wrote:
>
> Folks, before you get all excited about cramming side effects into
> open(2), consider the following case:
>
> 1) opening "/dev/zero/start_nuclear_war" has a certain side effect.
>
> 2) Local user does the following:
> ln -sf /dev/zero/start_nuclear_war bar
> while true; do
> mkdir foo
> rmdir foo
> ln -sf bar foo
> rm foo
> done
>
> 3) Comes the night and root runs (from crontab) updatedb(8). Said beast
> includes find(1). With sufficiently bad timing find _will_ be tricked
> into attempt to open foo. It will honestly lstat() it, all right. But
> there's no way to make sure that subsequent open() on the found directory
> will get the same object.
>
> 4) Side effect happens...
>
> Similar scenarios can be found for other programs run by/as root, but I
> think that the point is obvious - side effects on open() are not a good
> idea. Yes, we can play with checking for O_DIRECTORY, yodda, yodda, but
> I wouldn't bet a dime on security of a system with such side effects.
> A lot of stuff relies on the fact that close(open(foo, O_RDONLY)) is a
> no-op. Breaking that assumption is a Bad Thing(tm).
Can't this easily avoided if the needed action is not
< /dev/zero/start_nuclear_war
or
> /dev/zero/start_nuclear_war
but
echo "I'm evil" > /dev/zero/start_nuclear_war
?
--
Abramo Bagnara mailto:[EMAIL PROTECTED]
Opera Unica Phone: +39.546.656023
Via Emilia Interna, 140
48014 Castel Bolognese (RA) - Italy
ALSA project http://www.alsa-project.org
It sounds good!
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to [EMAIL PROTECTED]
