-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/04/10 11:35, Gert Doering wrote: > Hi, > > On Fri, Apr 16, 2010 at 11:16:32AM +0200, David Sommerseth wrote: >> I'll look more into this, as the only advantage is that if open() with >> O_EXCL|O_CREAT fails if the file exists, it should be used instead. > > Unfortunately, this won't help against symlink attacks directed to > non-existant files (like "-> /etc/nologin").
That's right, this could create a local DoS. I'm going to have a more careful look at test_file() afterwards. Considering to make it use stat() instead of just trying to open the file for reading. > It *will* protect against symlink attacks to existing files (overwriting > /etc/passwd or something similarily nasty). > Agreed! And that's why I've decided to rewrite the patch to use open() with O_EXCL. With an improved test_file() function, this potential bug should be closed. I've dived into the kernel code to see what it *really* does (when the man page are so unclear), and it should behave as those other Unices does as well. So, O_EXCL do make sense to avoid overwriting existing files if it is a symlink to an existing file. Btw ... When diving into the kernel code, I stumbled upon this comment in fs/namei.c:1872: /* Does someone understand code flow here? Or it is only * me so stupid? Anathema to whoever designed this non-sense * with "intent.open". */ Thought that one was worth sharing ;-) Having that said, this part of the kernel code is not too easy to follow. Kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvIOFoACgkQDC186MBRfrr2UgCgrunMn9SRRTnlMB6606oTQgAd 07UAoJZmr8xAX7KKb8ERKW30X1Nuo8ZW =KmQ+ -----END PGP SIGNATURE-----