Evaluating Windows Security Descriptors.
tridge at samba.org
tridge at samba.org
Wed Dec 19 20:39:58 GMT 2007
Chris,
I am not as pessimistic about your plan as Volker is. It does need to
be done very carefully, but I think that with careful design you may
be able to make it secure.
For example, the simple race Volker mentioned can be avoided as
follows:
1) before you open, you stat() and remember the device:inode
2) after you open, you fstat() and cross-check. If it's unchanged, then
no symlink games were played. If it has changes then loop back to (1)
and re-do all checks.
3) if the stat() showed the file didn't exist, then add O_EXCL
4) if you thought the file didn't exist, and O_EXCL causes an open
failure, then loop back to (1)
There are other races too, not just this simple one, but with some
careful thought you may find you can beat them.
Samba has had this style of race for years. We've worked around some
of them, but not all. In your design these races become more critical,
but don't give up completely. Try and think it through instead.
Cheers, Tridge
More information about the samba-technical
mailing list