On Wed, 9 Aug 2017 18:11:51 +0300
Michael Tokarev <m...@tls.msk.ru> wrote:

> 09.08.2017 17:23, Greg Kurz wrote:
> > This function has to ensure it doesn't follow a symlink that could be used
> > to escape the virtfs directory. This could be easily achieved if fchmodat()
> > on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but
> > it doesn't.
> > 
> > The current implementation covers most use-cases, but it notably fails if:
> > - the target path has access rights equal to 0000 (openat() returns EPERM), 
> >  
> >   => once you've done chmod(0000) on a file, you can never chmod() again  
> > - the target path is UNIX domain socket (openat() returns ENXIO)  
> >   => bind() of UNIX domain sockets fails if the file is on 9pfs  
> > 
> > The solution is to use O_PATH: openat() now succeeds in both cases, and we
> > can ensure the path isn't a symlink with fstat(). The associated entry in
> > "/proc/self/fd" can hence be safely passed to the regular chmod() syscall.  
> How we can ensure the path isn't a symlink using fstat() ?
> As far as I understand, fstat NEVER, EVER will return S_ISLINK, because
> we can't actually "open" a symlink itsef, only the target of the symlink.

Except when O_PATH is passed, as stated in open(2):

If  pathname  is a symbolic link and the O_NOFOLLOW flag is also
specified, then the call returns a file descriptor referring  to
the  symbolic  link.

See Eric's program that proves it at:


> /mjt

Attachment: pgp3CQm5VNfRI.pgp
Description: OpenPGP digital signature

Reply via email to