On Wed, 9 Aug 2017 18:11:51 +0300 Michael Tokarev <m...@tls.msk.ru> wrote:
> 09.08.2017 17:23, Greg Kurz wrote: > > This function has to ensure it doesn't follow a symlink that could be used > > to escape the virtfs directory. This could be easily achieved if fchmodat() > > on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but > > it doesn't. > > > > The current implementation covers most use-cases, but it notably fails if: > > - the target path has access rights equal to 0000 (openat() returns EPERM), > > > > => once you've done chmod(0000) on a file, you can never chmod() again > > - the target path is UNIX domain socket (openat() returns ENXIO) > > => bind() of UNIX domain sockets fails if the file is on 9pfs > > > > The solution is to use O_PATH: openat() now succeeds in both cases, and we > > can ensure the path isn't a symlink with fstat(). The associated entry in > > "/proc/self/fd" can hence be safely passed to the regular chmod() syscall. > > How we can ensure the path isn't a symlink using fstat() ? > > As far as I understand, fstat NEVER, EVER will return S_ISLINK, because > we can't actually "open" a symlink itsef, only the target of the symlink. > Except when O_PATH is passed, as stated in open(2): If pathname is a symbolic link and the O_NOFOLLOW flag is also specified, then the call returns a file descriptor referring to the symbolic link. See Eric's program that proves it at: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01600.html > /mjt
pgp3CQm5VNfRI.pgp
Description: OpenPGP digital signature
