[PATCHESv2] Add vfs_admin vfs module
Uri Simchoni
uri at samba.org
Tue Oct 6 17:08:39 UTC 2015
On 10/06/2015 07:13 PM, Jeremy Allison wrote:
> On Tue, Oct 06, 2015 at 08:41:12AM -0700, Jeremy Allison wrote:
>> On Tue, Oct 06, 2015 at 08:36:34AM -0700, Jeremy Allison wrote:
>>> For directories, the only "safe" POSIX way to do this as
>>> root is :
>>>
>>> a). mkdir(name)
>>> b). fd = open(name, O_RDONLY);
>>> c). fstat(fd);
>>> d). Ensure owner/primary group match current POSIX
>>> creds.
>>> e). fchown(fd, newcreds);
>>>
>>> That's not race-free, but at least it can detect
>>> any races.
>> Correction ! That should be:
>>
>> a). mkdir(name)
>> a1). chdir(name);
>> b). fd = open(".", O_RDONLY);
>> c). fstat(fd);
>> d). Ensure owner/primary group match current POSIX
>> creds.
>> e). fchown(fd, newcreds);
>>
>> This stuff is tricky :-).
> And the above is *also* wrong :-).
>
> The correct (*) way is :
>
> parent_name = get_parent_name(name);
> final_component = get_final_component(name);
> chdir(parent_name);
> check_name = realpath(".");
> ensure check_name == parent_name;
> mkdir(final_component);
> chdir(final_component);
> check_name = realpath(".");
> ensure check_name == name;
> fd = open(".", O_RDONLY);
> fstat(fd);
> ensure stat owner matches current posix creds.
> fchown(fd, new_creds);
>
> (*) until I or someone else spots another flaw :-).
>
> This of course won't work with pathnames
> deliberatly containing symlinks, but is
> as safe as I can think of on the spur-of
> the moment.
UNIX. Worse is Better(tm).
https://www.jwz.org/doc/worse-is-better.html
I'll incorporate that in the next version. Would you say the first
version of your raceless chown is sufficient for symlinks and "mknod"'s?
Thanks,
Uri.
More information about the samba-technical
mailing list