tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: open()ing a directory without O_DIRECTORY

On 02.03.2019 15:30, Christos Zoulas wrote:
> In article <>,
> Aymeric Vincent  <> wrote:
>> Hi,
>> on BSD, it has historically been possible to open() and read() a
>> directory. While this is fun, it also leaks part of the history of the
>> contents of the directory. E.g. you give rights to a directory after
>> clearing its contents, and you actually give access to many filenames
>> present in that directory when it had more restrictive rights.
>> I fail to see any fair use of this behaviour (except for pedagogical
>> purposes), and would like to suggest that we return EISDIR when a
>> directory if open()ed without O_DIRECTORY, and make sure that even then
>> they can't be read()/mmap()ed/... directly (didn't check if it's the
>> case now).
>> Does anyone see a good reason to keep the historical behaviour? FWIW, I
>> think at least OpenBSD dropped that.
> The current behavior is useful because I don't have to modify
> hexdump, od, etc. or write a special program to look at the contents
> of a directory. It is not a security issue, because you can still
> do it with O_DIRECTORY (you still have the data disclosure). It is
> historical behavior as you say, so why break it? What's next, create
> O_DEVICE to open devices, so people accidentally don't mess up
> their terminals when they cat them?
> christos

Personally I would use a sysctl(3) switch to disable it. From time to
time I'm using by a mistake cat(1) against directory instead of a file
and it is DoS for my terminal.

I find it annoying but I understand that there are some use-cases.

Attachment: signature.asc
Description: OpenPGP digital signature

Home | Main Index | Thread Index | Old Index