Subject: Re: CVS commit: src/usr.bin/find
To: SODA Noriyuki <>
From: Perry E. Metzger <>
List: tech-userlevel
Date: 02/07/2007 07:59:23
SODA Noriyuki <> writes:
>>>>>> On Wed, 07 Feb 2007 07:10:51 -0500,
>       "Perry E. Metzger" <> said:
>>> The "-delete" option is a very specific feature to deal with symbolic
>>> link race, and its usage is very limited.
>> It does not fix a symbolic link race. It is perfectly straightforward
>> to still cause the race if you want to.
> Hmm, how do you cause the race?

I may be mistaken. I remembered that there was still a way around this
but now that I'm stepping through the lstat/fstat part I don't see
what it was (assuming inode numbers are not rapidly recycled).


> The -delete option uses our fts(3) as follows:
> 1. It calls lstat(2) to see whether the entry is a directory or not.
>   If it is not a directory (e.g. a symlink, a file, etc.), it does not
>   follow the entry.
> 2. It calls open(2) against the directory.
> 3. It calls fstat(2) against the descriptor returned by 2.
> 4. It checks whether the st_dev and the st_ino which are returned by
>    step 3 are certainly same with the st_dev and st_ino which are
>    returned by step 1.
> 5. if step 4 succeeds, it calls fchdir(2) against the descriptor.
> Only place where a malicious user can change the directory entry to
> a symbolic link is between step 1 and step 2.
> But this procedure can detect the attack by the check in the step 4.
> Or, am I missing something?
> -- 
> soda