> My guess for steps to create the problem is: > [...] > ... and the tmp cleanup does a "rmdir /tmp/foo/bar", [...]
That's the classic way to abuse such things. That's why I postulated a form of rm -r that doesn't construct multi-directory pathnames, but instead fchdir()s into each directory and then uses slash-free pathnames to refer to things in that directory - and then fchdir()s back out, thereby guaranteeing returning to the old directory even if someone's playing symlink games. I also specified statting . after fchdiring to make sure the fchdir went where it was supposed to. One of the downsides of this is that it needs one file descriptor per level of directory. It could also, of course, be done by forking, or by a hybrid solution that uses file descriptors, but forks when it runs out of fds, thereby (roughly) dividing the number of processes required by the number of availalble file descriptors. It's got some problems, of course. But I don't think vulnerability to symlink games such as you outline is one of them. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
