SODA Noriyuki <soda@sra.co.jp> writes:
>>>>>> On Wed, 07 Feb 2007 07:10:51 -0500,
>       "Perry E. Metzger" <perry@piermont.com> said:
>
>>> The "-delete" option is a very specific feature to deal with symbolic
>>> link race, and its usage is very limited.
>
>> It does not fix a symbolic link race. It is perfectly straightforward
>> to still cause the race if you want to.
>
> Hmm, how do you cause the race?

I may be mistaken. I remembered that there was still a way around this
but now that I'm stepping through the lstat/fstat part I don't see
what it was (assuming inode numbers are not rapidly recycled).

Perry

> The -delete option uses our fts(3) as follows:
> 1. It calls lstat(2) to see whether the entry is a directory or not.
>   If it is not a directory (e.g. a symlink, a file, etc.), it does not
>   follow the entry.
> 2. It calls open(2) against the directory.
> 3. It calls fstat(2) against the descriptor returned by 2.
> 4. It checks whether the st_dev and the st_ino which are returned by
>    step 3 are certainly same with the st_dev and st_ino which are
>    returned by step 1.
> 5. if step 4 succeeds, it calls fchdir(2) against the descriptor.
>
> Only place where a malicious user can change the directory entry to
> a symbolic link is between step 1 and step 2.
> But this procedure can detect the attack by the check in the step 4.
>
> Or, am I missing something?
> -- 
> soda