On Thu, 11 Apr 2024 at 10:35, Charles Mirabile <cmirabil@xxxxxxxxxx> wrote:
>
> And a slightly dubious addition to bypass these checks for tmpfiles
> across the board.
Does this make sense?
I 100% agree that one of the primary reasons why people want flink()
is that "open tmpfile, finalize contents and permissions, then link
the final result into the filesystem".
But I would expect that the "same credentials as open" check is the
one that really matters.
And __O_TMPFILE is just a special case that might not even be used -
it's entirely possible to just do the same with a real file (ie
non-O_TMPFILE) and link it in place and remove the original.
Not to mention that ->tmpfile() isn't necessarily even available, so
the whole concept of "use O_TMPFILE and then linkat" is actually
broken. It *has* to be able to fall back to a regular file to work at
all on NFS.
So while I understand your motivation, I actually think it's actively
wrong to special-case __O_TMPFILE, because it encourages a pattern
that is bad.
Linus
