Theoretically, it could do something like this:
safety_t verify(path_list_t path_components)
{
while (path_components) {
first = pop(path_components);
if (is_directory(first) && is_trusted(first.owner) &&
is_unwritable_for_untrusted_users(first.mode)) {
advance_cwd(first);
continue;
}
if (is_symlink(first)) {
result = verify(read_link(first));
if (result != SAFE) return result;
continue;
}
if (is_file(first)) return SAFE;
/* perhaps also allow certain other types */
return UNSAFE;
}
return SAFE;
}
I think that, provided that we start with a trusted cwd or have an absolute
path, and that trusted users don't change directory permissions on the fly,
this leaves no races, but could be subverted by using varlinks.
I don't know if this type of check occurs in real programs, though.
- Werner
-- _________________________________________________________________________ / Werner Almesberger, DI-ICA,EPFL,CH werner.almesberger@lrc.di.epfl.ch / /_IN_R_131__Tel_+41_21_693_6621__Fax_+41_21_693_6610_____________________/- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu