Subject: Re: CVS commit: src/usr.bin/find
To: Perry E. Metzger <firstname.lastname@example.org>
From: SODA Noriyuki <email@example.com>
Date: 02/07/2007 21:38:09
>>>>> On Wed, 07 Feb 2007 07:10:51 -0500,
"Perry E. Metzger" <firstname.lastname@example.org> said:
>> The "-delete" option is a very specific feature to deal with symbolic
>> link race, and its usage is very limited.
> It does not fix a symbolic link race. It is perfectly straightforward
> to still cause the race if you want to.
Hmm, how do you cause the race?
The -delete option uses our fts(3) as follows:
1. It calls lstat(2) to see whether the entry is a directory or not.
If it is not a directory (e.g. a symlink, a file, etc.), it does not
follow the entry.
2. It calls open(2) against the directory.
3. It calls fstat(2) against the descriptor returned by 2.
4. It checks whether the st_dev and the st_ino which are returned by
step 3 are certainly same with the st_dev and st_ino which are
returned by step 1.
5. if step 4 succeeds, it calls fchdir(2) against the descriptor.
Only place where a malicious user can change the directory entry to
a symbolic link is between step 1 and step 2.
But this procedure can detect the attack by the check in the step 4.
Or, am I missing something?