On Fri, Jul 28, 2023 at 08:43:58AM +0000, David Laight wrote: > .... > > FWIW, I agree with Christian that these behaviours are not ideal (and > > I'm working on a series that might allow for these things to be properly > > blocked in the future) but there's also the consistency argument -- I > > don't think fchownat() is much safer to allow in this way than > > fchmodat() and (again) this behaviour is already possible through > > procfs. > > If the 'through procfs' involves readlink("/proc/self/fd/n") and > accessing through the returned path then the permission checks > are different. > Using the returned path requires search permissions on all the > directories. That's *not* how "through procfs" works. The "magic symlinks" in /proc/*/fd are not actual symlinks that get dereferenced to the contents they readlink() to, but special-type objects that dereference directly to the underlying file associated with the open file description. Rich