>Date: Fri, 05 Oct 2007 11:28:45 -0500
>From: Tom Haynes <Thomas.Haynes at sun.com>
>
>Don Cragun wrote:
>>
>> Any approach that doesn't force the mount is going to leave a security
>> hole. The security hole while doing an ls -l probably isn't
>> important. I understand that there is a significant performance
>> penalty forcing mounts on all *stat*() calls. But surely we can force
>> the mounts if an application explicitly asks for it in an fstatat()
>> call when it knows that skipping the mount may lead to an otherwise
>> undetectable security hole. Both ftw() and nftw() should ask for it.
>> (Forcing the mount on the fstatat() in ftw() and nftw() will make them
>> run faster; not slower. They will be forcing the mounts anyway and
>> this avoids additional checks that have been added trying to plug the
>> security hole that was created by cases approved earlier.)
>>
>>
>> - Don
>
>The issue here is that by the time we get to the fstatat() call, the
>mount has already
>occurred. It isn't just the opendir() call which forces the underlying
>vnops to trigger
>the mount. Whatever call we make to get our hands on the file descriptor
>will
>force the mount to occur.
NO! We don't have a file descriptor yet. The synopsis for fstatat()
is:
int fstatat(int fildes, const char *path, struct stat *buf, int flag);
We're not talking about having flag AT_TRIGGER have any effect on
fildes; we're talking about AT_TRIGGER forcing any path argument that
names a directory for which the current proposal would set the
S_IFTRIGGER bit in the mode field to instead force the mount before
returning mode bits. (So that after the sequence:
fstatat(fildes, dir, &before, AT_TRIGGER);
or: fstatat(0, dir, &before, AT_TRIGGER | AT_FDCWD)
followed by:
dirp = opendir(dir);
fstat(dirfd(dirp), &after);
the application will know that if:
before.st_ino != after.st_ino || before.st_dev != after.st_dev
then someone changed dir between the fstatat() and the opendir() calls
with no chance for spoofing.)
- Don
