Subject: Re: CVS commit: src/usr.bin/find
To: Perry E. Metzger <>
From: SODA Noriyuki <>
List: tech-userlevel
Date: 02/07/2007 21:38:09
>>>>> On Wed, 07 Feb 2007 07:10:51 -0500,
      "Perry E. Metzger" <> said:

>> The "-delete" option is a very specific feature to deal with symbolic
>> link race, and its usage is very limited.

> It does not fix a symbolic link race. It is perfectly straightforward
> to still cause the race if you want to.

Hmm, how do you cause the race?

The -delete option uses our fts(3) as follows:
1. It calls lstat(2) to see whether the entry is a directory or not.
  If it is not a directory (e.g. a symlink, a file, etc.), it does not
  follow the entry.
2. It calls open(2) against the directory.
3. It calls fstat(2) against the descriptor returned by 2.
4. It checks whether the st_dev and the st_ino which are returned by
   step 3 are certainly same with the st_dev and st_ino which are
   returned by step 1.
5. if step 4 succeeds, it calls fchdir(2) against the descriptor.

Only place where a malicious user can change the directory entry to
a symbolic link is between step 1 and step 2.
But this procedure can detect the attack by the check in the step 4.

Or, am I missing something?