Re: varlinks! (and 2.1.98 works for me)

Werner Almesberger (almesber@lrc.di.epfl.ch)
Sun, 3 May 1998 16:50:33 +0200 (MET DST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrea Arcangeli: "Re: New pre-patch (Re: [PATCH] kswapd fully sysctl tunable)"
Previous message: Manuel J. Galan: "Re: New pre-patch (Re: [PATCH] kswapd fully sysctl tunable)"

Ton Hospel wrote:
> - stare at the link (e.g. do a readlink), do some checking, then follow it.
> That had a race condition anyways, so it cannot be trusted

Theoretically, it could do something like this:

safety_t verify(path_list_t path_components)
{
while (path_components) {
first = pop(path_components);
if (is_directory(first) && is_trusted(first.owner) &&
is_unwritable_for_untrusted_users(first.mode)) {
advance_cwd(first);
continue;
}
if (is_symlink(first)) {
result = verify(read_link(first));
if (result != SAFE) return result;
continue;
}
if (is_file(first)) return SAFE;
/* perhaps also allow certain other types */
return UNSAFE;
}
return SAFE;
}

I think that, provided that we start with a trusted cwd or have an absolute
path, and that trusted users don't change directory permissions on the fly,
this leaves no races, but could be subverted by using varlinks.

I don't know if this type of check occurs in real programs, though.

- Werner

-- _________________________________________________________________________ / Werner Almesberger, DI-ICA,EPFL,CH werner.almesberger@lrc.di.epfl.ch / /_IN_R_131__Tel_+41_21_693_6621__Fax_+41_21_693_6610_____________________/

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu

Next message: Andrea Arcangeli: "Re: New pre-patch (Re: [PATCH] kswapd fully sysctl tunable)"
Previous message: Manuel J. Galan: "Re: New pre-patch (Re: [PATCH] kswapd fully sysctl tunable)"