bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: filesystem access security


From: Niels Möller
Subject: Re: filesystem access security
Date: 29 Nov 2003 23:12:03 +0100
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

James Buchanan <jamesb.au@acm.org> writes:

> This requires that glibc always does a secure lookup, and then inspects
> the node to decide if it wants to resolve the translator or not.  This
> adds a small cost to all cross-translator lookups, but cross-translator
> lookups are expensive already anyway.

I don't remember if this has been discussed already, but anyway: This
sounds like a race condition. I think the right thing to do is to
first open the node (using O_NOTRANS), examine it. If the translator
is to be followed, the node should not be opened again, instead one
needs a special function that follows the translator setting for the
opened node.

There's no such function in the current file interface, is it? One
design might be to have a general "reopen" mechanism that opens a file
with a new set of openflags (not all variants need to work, for
example opening a translater file without O_NOTRANS and later
"reopening" it with O_NOTRANS, which could mean to get the underlying
file, might not work).

For security reasons, this should probably not be enabled by default
(if you open a file read-only, and pass the handle to some other
process, you probably don't want the other process to be able to
reopen the file in read-write mode, or reopen it with a different
value for the O_NOTRANS flag). But this could just be one more open
flag, say O_ALLOW_REOPEN.

Then glibc could do soemthing like

  f = open(name, mode | O_NOTRANS | O_ALLOW_REOPEN);
  fstat(f, &st);
  if (translator that should be followed)
    f = reopen(f, mode)             /* Follow translator */
  else
    f = reopen(f, mode | O_NOTRANS) /* Disable reopen */

Regards,
/Niels




reply via email to

[Prev in Thread] Current Thread [Next in Thread]