Re: hardlinks.... sucks... ;-(

Wolfgang Walter (wolfgang.walter@stusta.mhn.de)
Wed, 7 Jan 1998 20:57:47 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Theodore Y. Ts'o: "Re: 2G file size limitation question"
Previous message: Michael Krause: "VFAT rename bug"

On Wed, Jan 07, 1998 at 10:57:07AM +0100, Pavel Machek wrote:
> Hi!
>
>
> > >> No. You just need other tool than chown, you need tool that changes
> > >> uid->uid. And you run it as chown -from olduser -to newuser -R /,
> > >> which looks for all files owned by olduser and makes newuser own
> > >> them. Just go ahead and write this tool. (And mail me a copy ;-). (I
> > >> would also appredicate option to delete such files).
> > >
> > > Try something a bit like one of the following:
> > >
> > > find / -user 1234 -print | xargs chown 4321
> > > find / -user 1234 -print | xargs rm
> > > find / -user 1234 -exec chown 4321 {} ;
> > > find / -user 1234 -exec rm {} ;
> >
> > Alright now, how many people would do that? :-)
> >
> > 1. the file is found by "find"
> > 2. the user removes it and makes a link
> > 3. the "chown" command runs
> >
> > It seems a file starting with "-" could cause trouble too.
> > Maybe a name like "--follow-symlinks" would be interesting.
>
> Seems to me like what I proposed somewhere up in thread - new utility
> to do this safely...
>
> > Link and symlink restrictions would help protect us from
> > our luserness. Arrogance has no place in security.
>
> Well, I'm not sure if I want to break compatibility to protect myself
> from [not-so-]stupid errors.
>
> Well, but with that race condition above... It *might* be kernel issue
> after all. Enlighten me: how is this operation done safely?

The problem with the whole unix-interface is that you generally use names. But
from one call to the other the object referenced by that name may change.
This gets especially tricky if parts of the name-tree are owned by different
users.

It would be much better if there would be something like

GetObjId(name)

and all other operations would request such an id.

Often you often can have something similar by opening a file/dir read-only and
than using
ftstat, fchown, fchmod, fchdir, ...

I think the above task could be done with these operation, though it would
be rather difficult.

The weakness of these are that there is no flag for open which inhibits open
from following symlinks, there is no fopen() and there is only a limited
number of filehandles.

The above job can be solved even with these limits.

To change ownership of whole hierarchies: use a third, shure user and group
to freeze a directory:

fp = fopen(directory, O_RDONLY)
check ownership, ...
fchdir(fp)
/* so even if above hierarchy is not save, they can not fool us
by moving and replacing this
*/

fchown(fp, secure user, secure group);
fchmod(fp, o-w);
/* directory is frozen */
change ownership of files and symlinks with lchown if they belong
olduser
change ownership of directories to secure user, secure group
and chmod(o-w)
chdir into every directory and do the same again
change onwership of . to newuser, newgroup
restore mode of .

In this case I assume that all directories in the hierarchie belong olduser.
Otherwise you have to remember the ownership of every directory

Wolfgang Walter

Next message: Theodore Y. Ts'o: "Re: 2G file size limitation question"
Previous message: Michael Krause: "VFAT rename bug"