Evaluating Windows Security Descriptors.

tridge at samba.org tridge at samba.org
Wed Dec 19 20:39:58 GMT 2007


I am not as pessimistic about your plan as Volker is. It does need to
be done very carefully, but I think that with careful design you may
be able to make it secure.

For example, the simple race Volker mentioned can be avoided as

 1) before you open, you stat() and remember the device:inode 

 2) after you open, you fstat() and cross-check. If it's unchanged, then
 no symlink games were played. If it has changes then loop back to (1)
 and re-do all checks.

 3) if the stat() showed the file didn't exist, then add O_EXCL

 4) if you thought the file didn't exist, and O_EXCL causes an open
 failure, then loop back to (1)

There are other races too, not just this simple one, but with some
careful thought you may find you can beat them.

Samba has had this style of race for years. We've worked around some
of them, but not all. In your design these races become more critical,
but don't give up completely. Try and think it through instead.

Cheers, Tridge

More information about the samba-technical mailing list