> In the last Unix-like file system implementation I worked on, we
> specifically prevented open(.., O_CREAT...) from following trailing
> symlinks (In fact, none of the system calls that create a file
> follow trailing links - mknod(), mkdir(), symlink(), bind() on
> AF_UNIX socket, etc.).
Right now, we don't follow links for O_CREAT|O_EXCL, although now
that O_NOFOLLOW is available, we could arguably allow this and just
force userspace to use it.
> They rather generate an EEXIST error if there exists a symbolic
> link with the passed name. With this approach, exploits of the type
> this thread has been discussing can't occur.
Initially I chose EACES but later changed it to ELOOP to be
consistent with FreeBSD if for no other reason (it is somewhat more
logical too). This is presently the state of 2.1.127.
-cw
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
That's what we did as well...
> although now
> that O_NOFOLLOW is available, we could arguably allow this and just
> force userspace to use it.
Yes -- I like that idea but I suspect people are depending on the current
behavior...
>
> Initially I chose EACES but later changed it to ELOOP to be
> consistent with FreeBSD if for no other reason (it is somewhat more
> logical too). This is presently the state of 2.1.127.
I found no guidence from the standards so chose EEXIST because that's what gets
returned if any other type of file with the supplied name exists. OTOH, ELOOP at
does clue the caller that there's a symbolic link involved.
Tom
--
Tom Eastep
COMPAQ Computer Corporation
Enterprise Computing Group
Tandem Division
tom.e...@compaq.com
Quite a few binaries from 2.0 go insecure if you change policy on them
> > Yes -- I like that idea but I suspect people are depending on the
> > current behavior...
>
> Quite a few binaries from 2.0 go insecure if you change policy on
> them
Cool... ltes break it in 2.3.x then, perhaps with a prinkt for a bit
to catch the apps. that will break.
Breakage is good.
-cw