James Carlson wrote: > Don Cragun writes: > >> This case tries to allow applications to determine that they >> have just stat()ed a file that may generate a false positive. It does >> do that. But there is still no way to determine whether the directory >> opened by the opendir() was the requested directory or a spoofed >> directory planted into the file hierarchy between the original *stat*() >> call and the opendir() call. >> > > Yes, that's exactly the point I was raising. >
I think we are all in agreement with that statement and are expressing our concerns in different manners. > The problem is that doing two stats after opendir() doesn't really add > any security, as it doesn't cover for a race condition that anyone has > been able to describe, so I think we ought to be direct and say that > we are deliberately disabling this security check in this one case. > Agreed, I can't express the race condition that I believed was still there. I also agree with the statement that we need to be direct here. > I think the alternative (one that preserves the existing security > checks) would be to add a new flag to fstatat(2). > That approach would trigger a mount before the call to fstatat(2). The key design point in my proposal is that we want to be able to detect that a directory is a trigger mount without actually triggering the mount.
