On Fri, 28 Mar 2008, Robert Felber wrote: > 1st: I assumed [ -L /foo/bar ] is the same as [ -L /foo/bar/ ] > > because the -L tells the file test what to look for. But in the > latter form it is checked with S_IFDIR.
If you have a trailing slash, Linux follows the symbolic link and runs lstat on what the link points to, not the link itself. You can demonstrate the same behavior with ls: [EMAIL PROTECTED] ~/tmp $ mkdir foo [EMAIL PROTECTED] ~/tmp $ ln -s foo bar [EMAIL PROTECTED] ~/tmp $ touch foo/baz [EMAIL PROTECTED] ~/tmp $ ls -l bar lrwxrwxrwx 1 henson henson 3 Mar 28 16:21 bar -> foo [EMAIL PROTECTED] ~/tmp $ ls -l bar/ total 0-rw-r--r-- 1 henson henson 0 Mar 28 16:21 baz Interestingly, other operating systems display different behavior. For example, under Solaris 8: $ ls -l bar/ lrwxrwxrwx 1 henson csupomona 3 Mar 28 15:20 bar/ -> foo I'm not sure which is the more correct behavior... Also, the S_IFDIR output from strace isn't an argument to lstat, it's the return value of the lstat call. > 2nd: policyd-weight didn't check the ownership of real directories > which might have been resulted in a race attack. Policyd-weight once > gets the stat/lstat and reuses that information in order to > provide some sort of atomicity of the check_symlnk() sub-routine. There are still race conditions present in the code. It is rather difficult to securely create files/directories in a world writable directory. If you are running on a multiuser system, it's probably best to have the lock directory someplace writable only by the service user. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [EMAIL PROTECTED] California State Polytechnic University | Pomona CA 91768 ____________________________________________________________ Policyd-weight Mailinglist - http://www.policyd-weight.org/