On 2021-02-27, Drew DeVault <sir@xxxxxxxxx> wrote: > Hiya! I'm looking into the mkdirat and openat syscalls, and I noticed > that there's no means of implementing TOCTOU (time-of-check to > time-of-use, a technique for preventing race conditions) on directory > creation. > > To create a directory and obtain a dirfd for it, you have to (1) > mkdirat, then (2) openat with O_DIRECTORY, and if the directory is > removed in between, the latter will fail. > > One possibly straightforward solution is to support openat with the > O_DIRECTORY and O_CREAT flags specified. This was discussed last year[1]. I think it would be useful but it shouldn't be done as part of openat(2) because we already have enough multiplexing with that syscall. Maybe a mkdirat2(2) (which takes a flags argument -- sigh) that can be told to return a handle to the new directory would be a nicer API. > The present behavior of this flag combination is to create a file and > return ENOTDIR. The appropriate behavior is probably to create a > directory as proposed, or, at a minimum, to return EINVAL and not create > the file. Changing the semantics of open scares me a fair bit -- you could probably change openat2(2) since it's not as widely used yet. [1]: https://lore.kernel.org/linux-fsdevel/20200316142057.xo24zea3k5zwswra@yavin/ -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature
