On Sun, 15 Oct 2017 21:13:34 +0200 "Michael Fritscher" <mich...@fritscher.net> wrote:
> > > > Hi, > > > > dumb question: what is the advantage of openat vs. open - only the thing > > that someone doesn't need to build the path together by hand? > > > > If I understand the man page of openat correctly, it does _not_ prevent > > someone to break out of the jail by using e.g. ../../../blah . > > If this assumption is correctly perhaps it is better to avoid using the > > *at function family (as it was some time ago) and sanitize the path (by > > somehow canonizing it and than check if the beginning is ok). > > > > Then I could use the "normal" posix function again and avoid using the NT* > > Functions directly which is not soooo nice for various reasons. > > > > Best regards, > > Michael Fritscher > > > > Hi again, > > I see one thing: symlinks somewhere in the path (which seemed to be the > reason introducing the *at family). But I think that this can be handled > by canonlizing the path, too. realpath should do the job quite well. > Unfortunately now because we have TOCTOU condition here: some path element could be replaced by a symlink after realpath() but before we actually pass the resulting path to a syscall. > Best regards, > Michael Fritscher >
