open()ing a directory without O_DIRECTORY

To: tech-security%netbsd.org@localhost
Subject: open()ing a directory without O_DIRECTORY
From: Aymeric Vincent <aymericvincent%free.fr@localhost>
Date: Sat, 02 Mar 2019 14:30:05 +0100

Hi,

on BSD, it has historically been possible to open() and read() a
directory. While this is fun, it also leaks part of the history of the
contents of the directory. E.g. you give rights to a directory after
clearing its contents, and you actually give access to many filenames
present in that directory when it had more restrictive rights.

I fail to see any fair use of this behaviour (except for pedagogical
purposes), and would like to suggest that we return EISDIR when a
directory if open()ed without O_DIRECTORY, and make sure that even then
they can't be read()/mmap()ed/... directly (didn't check if it's the
case now).

Does anyone see a good reason to keep the historical behaviour? FWIW, I
think at least OpenBSD dropped that.

Regards,
 Aymeric

Follow-Ups:
- Re: open()ing a directory without O_DIRECTORY
  - From: Christos Zoulas
- re: open()ing a directory without O_DIRECTORY
  - From: matthew green

Prev by Date: NetBSD Security Advisory 2019-001: Several kernel memory disclosure bugs
Next by Date: re: open()ing a directory without O_DIRECTORY
Previous by Thread: NetBSD Security Advisory 2019-001: Several kernel memory disclosure bugs
Next by Thread: re: open()ing a directory without O_DIRECTORY
Indexes:

Home | Main Index | Thread Index | Old Index