[PATCHESv2] Add vfs_admin vfs module
Jeremy Allison
jra at samba.org
Tue Oct 6 16:13:53 UTC 2015
On Tue, Oct 06, 2015 at 08:41:12AM -0700, Jeremy Allison wrote:
> On Tue, Oct 06, 2015 at 08:36:34AM -0700, Jeremy Allison wrote:
> >
> > For directories, the only "safe" POSIX way to do this as
> > root is :
> >
> > a). mkdir(name)
> > b). fd = open(name, O_RDONLY);
> > c). fstat(fd);
> > d). Ensure owner/primary group match current POSIX
> > creds.
> > e). fchown(fd, newcreds);
> >
> > That's not race-free, but at least it can detect
> > any races.
>
> Correction ! That should be:
>
> a). mkdir(name)
> a1). chdir(name);
> b). fd = open(".", O_RDONLY);
> c). fstat(fd);
> d). Ensure owner/primary group match current POSIX
> creds.
> e). fchown(fd, newcreds);
>
> This stuff is tricky :-).
And the above is *also* wrong :-).
The correct (*) way is :
parent_name = get_parent_name(name);
final_component = get_final_component(name);
chdir(parent_name);
check_name = realpath(".");
ensure check_name == parent_name;
mkdir(final_component);
chdir(final_component);
check_name = realpath(".");
ensure check_name == name;
fd = open(".", O_RDONLY);
fstat(fd);
ensure stat owner matches current posix creds.
fchown(fd, new_creds);
(*) until I or someone else spots another flaw :-).
This of course won't work with pathnames
deliberatly containing symlinks, but is
as safe as I can think of on the spur-of
the moment.
More information about the samba-technical
mailing list