Re: Fwd: [bug #17877] Invalid "No such file or directory" error on filesystem without stable inode numbers

[Miklos Szeredi]

> >> For example, consider the classic symlink attack.
> >> We're not supposed to follow symlinks and our system lacks support
> >> for open's O_NOFOLLOW flag.  So we lstat the target directory,
> >> determine that it is indeed a directory, then open it.  But between
> >> the lstat and the open, someone moved it aside and replaced it with
> >> a symlink to another directory.  The only way to detect that is to
> >> compare dev/inode pairs before and after.
> >
> > OK, but for systems which do have O_NOFOLLOW, this isn't necessary and
> > less efficient than just using O_NOFOLLOW.  So can't this test be made
> > conditional for systems lacking O_NOFOLLOW?
> 
> For that one yes, but there is a more insidious attack.
> 
> The case in which a partially processed (visited just once so far)
> directory is renamed to reside at a different level in the file system

You mean a directory that is an ancestor of the current directory, but
a descendant of the root of find is moved?

> hierarchy must also be detected.  There, O_NOFOLLOW doesn't help at all.
> It can be detected upon traversing a ".." link only by comparing prior
> and current dev/ino pairs.

Shouldn't holding the current directory open prevent the ancestor from
changing inodes in this case?

If so, then the fix might be just to make the test in
fts_safe_changedir() be dependent on a couple factors.

Miklos