Re: bin/55815: tar opens device files

[Christos Zoulas <christos%zoulas.com@localhost>]

The following reply was made to PR bin/55815; it has been noted by GNATS.

From: Christos Zoulas <christos%zoulas.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: gnats-admin%netbsd.org@localhost,
 netbsd-bugs%netbsd.org@localhost,
 "martin%netbsd.org@localhost" <martin%NetBSD.org@localhost>
Subject: Re: bin/55815: tar opens device files
Date: Sat, 5 Jun 2021 09:17:54 -0400

 --Apple-Mail=_686C3893-A0BA-4A3B-862E-E15AD9F17BEC
 Content-Transfer-Encoding: quoted-printable
 Content-Type: text/plain;
 	charset=us-ascii
 
 Well, if you want to avoid TOCTOA, you need something like linux's =
 O_PATH
 which opens the file for "stat" like access only. But even linux does =
 not have
 a way to "upgrade" that fd to be able to read, short of:
 
 fd =3D open(path, O_PATH);
 fstat(fd, &st);
 if (is a device)
 	bail;
 snprintf(buf, sizeof(buf), "/proc/self/fds/%d", fd);
 nfd =3D open(buf, O_RDONLY);
 
 We do have O_EXEC, but I am not sure if that is the same as O_PATH (if =
 it
 does not really open the device)
 
 christos
 
 --Apple-Mail=_686C3893-A0BA-4A3B-862E-E15AD9F17BEC
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename=signature.asc
 Content-Type: application/pgp-signature;
 	name=signature.asc
 Content-Description: Message signed with OpenPGP
 
 -----BEGIN PGP SIGNATURE-----
 Comment: GPGTools - http://gpgtools.org
 
 iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCYLt5ggAKCRBxESqxbLM7
 OmQsAJ0Tc/rY72tQlDhqcx9aDr2btMGvXACdF9kIbR12q+tNUwNROD1xJXinWAY=
 =fRlL
 -----END PGP SIGNATURE-----
 
 --Apple-Mail=_686C3893-A0BA-4A3B-862E-E15AD9F17BEC--