On Thu 2009-10-29 18:24:01, Dan Yefimov wrote: > On 29.10.2009 0:27, Pavel Machek wrote: >>>> That race is easily fixed. >>> >>> No, you're not right. >>> >>>> After chmodding the directory to 0700, *first* >>>> check the link count, *then* chmod the file to 0666: >>>> >>>> User1 creates file with permissions 0644 >>>> User2 opens file for read access on file descriptor 4 >>>> User1 chmod's directory to 0700 >>>> User1 verifies no hard links to file >>> >>> Here's a window, during which User2 is able to create a hardlink and >>> that will remain unnoticed by User1. There's no way to perform link >>> check and conditionally do chmod in an atomic manner. >> >> 0700 on directory prevents hardlink creation, see? >> > Do you still remember about openat()? If the directory was created with No, you said you can do hardlink, and you can't. Try it. openat(O_SEARCH) does not seem to exist. > 0700 mode from the origin, you would be right, and procfs wouldn't >allow > opening files in that directory too, but if you let others to traverse > that directory and open your believed to be secure files from the origin, > it's your fault. I can do the example with fd passing and 700 directory, but it would be lot of C code. Feel free to play, my example was not nearly the only way to demonstrate it, and no, it was not racy. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
