Subject: Re: CVS commit: src/usr.bin/find
To: SODA Noriyuki <firstname.lastname@example.org>
From: Perry E. Metzger <email@example.com>
Date: 02/07/2007 07:59:23
SODA Noriyuki <firstname.lastname@example.org> writes:
>>>>>> On Wed, 07 Feb 2007 07:10:51 -0500,
> "Perry E. Metzger" <email@example.com> said:
>>> The "-delete" option is a very specific feature to deal with symbolic
>>> link race, and its usage is very limited.
>> It does not fix a symbolic link race. It is perfectly straightforward
>> to still cause the race if you want to.
> Hmm, how do you cause the race?
I may be mistaken. I remembered that there was still a way around this
but now that I'm stepping through the lstat/fstat part I don't see
what it was (assuming inode numbers are not rapidly recycled).
> The -delete option uses our fts(3) as follows:
> 1. It calls lstat(2) to see whether the entry is a directory or not.
> If it is not a directory (e.g. a symlink, a file, etc.), it does not
> follow the entry.
> 2. It calls open(2) against the directory.
> 3. It calls fstat(2) against the descriptor returned by 2.
> 4. It checks whether the st_dev and the st_ino which are returned by
> step 3 are certainly same with the st_dev and st_ino which are
> returned by step 1.
> 5. if step 4 succeeds, it calls fchdir(2) against the descriptor.
> Only place where a malicious user can change the directory entry to
> a symbolic link is between step 1 and step 2.
> But this procedure can detect the attack by the check in the step 4.
> Or, am I missing something?