On 2/12/19 3:18 PM, Andreas Dilger wrote: > On Feb 12, 2019, at 7:54 AM, demiobenour@xxxxxxxxx wrote: >> >> From: "Demi M. Obenour" <demiobenour@xxxxxxxxx> >> >> This adds the file open flag O_PATHSTATIC, which ensures that symbolic >> links are *never* followed, even in path components other than the last. >> This is distinct from O_NOFOLLOW, which only prevents symlinks in the >> *last* component from being followed. >> >> This is useful for avoiding race conditions in userspace code that >> should expose only a subset of the filesystem to clients. This includes >> FTP and SFTP servers, QEMU, and others. >> >> Currently, O_NOFOLLOW must be set if O_PATHSTATIC is set. Otherwise, >> open() fails with -EINVAL. > > I don't want to bikeshed (discard suggestion if you disagree), but why not > name the flag "O_NEVER_FOLLOW" so that users can see it is also related to > "O_NOFOLLOW"? Otherwise it seems like they are two completely different > things from looking at the names, when in fact they are closely related. > > Cheers, Andreas > Searching for O_PATHSTATIC gives two results: * https://www.halfdog.net/Security/2010/FilesystemRecursionAndSymlinks * https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html O_DIRECTORY_NOFOLLOW would also be a good choice, since that is what the flag actually does. Ideally, we would rename O_NOFOLLOW, but we can’t.
Attachment:
signature.asc
Description: OpenPGP digital signature
