tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: open()ing a directory without O_DIRECTORY
> On Mar 3, 2019, at 2:17 PM, Aymeric Vincent <aymericvincent%free.fr@localhost> wrote:
>
> christos%astron.com@localhost (Christos Zoulas) writes:
>
>> In article <871s3p49lz.fsf%free.fr@localhost>,
>> Aymeric Vincent <aymericvincent%free.fr@localhost> wrote:
>>>
>>> There is no trivial way to get rid of this no longer valid contents,
>>> since for good reason you can't write to a directory as a file. You have
>>> to re-create it (not always possible due to permissions) or create long
>>> entries until your data disappears... :-/
>>
>> Why? The kernel can just zero out the deleted dirents.
>
> Forgot to mention: "in the current situation". And yes, that's exactly
> what I think, probably the alternative is
>
> - zero out on unlink() so that the data is no longer on the disk
> (Everybody seems to have expressed preference for this solution but I
> think this requires changing all the affected filesystems)
> - zero out in getdents() so that the data cannot be accessed without
> accessing the raw device, mimicking the behaviour of unlink for the
> data: data still present on disk but not accessible without accessing
> the raw device. (This requires forbidding read() and similar on
> directories)
Well, even if you zero out the new entries as you delete them, you need
to have a way to update filesystems that have old unclean directories.
Perhaps we can have fsck do it, or even better have way (through fcntl/ioctl/
new syscall/or even abusing open flags) to clean and/or
compact an existing directory (which we cannot do right now).
I am not opposed to changing O_DIRECTORY to be required to open
directories (and overriding globally via sysctl), but that does not fix the
underlying issue.
christos
Home |
Main Index |
Thread Index |
Old Index