Re: varlinks! (and 2.1.98 works for me)

Werner Almesberger (
Sun, 3 May 1998 16:50:33 +0200 (MET DST)

Ton Hospel wrote:
> - stare at the link (e.g. do a readlink), do some checking, then follow it.
> That had a race condition anyways, so it cannot be trusted

Theoretically, it could do something like this:

safety_t verify(path_list_t path_components)
while (path_components) {
first = pop(path_components);
if (is_directory(first) && is_trusted(first.owner) &&
is_unwritable_for_untrusted_users(first.mode)) {
if (is_symlink(first)) {
result = verify(read_link(first));
if (result != SAFE) return result;
if (is_file(first)) return SAFE;
/* perhaps also allow certain other types */
return UNSAFE;
return SAFE;

I think that, provided that we start with a trusted cwd or have an absolute
path, and that trusted users don't change directory permissions on the fly,
this leaves no races, but could be subverted by using varlinks.

I don't know if this type of check occurs in real programs, though.

- Werner

 / Werner Almesberger, DI-ICA,EPFL,CH /

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to