Miklos Szeredi <[EMAIL PROTECTED]> wrote: >> For example, consider the classic symlink attack. >> We're not supposed to follow symlinks and our system lacks support >> for open's O_NOFOLLOW flag. So we lstat the target directory, >> determine that it is indeed a directory, then open it. But between >> the lstat and the open, someone moved it aside and replaced it with >> a symlink to another directory. The only way to detect that is to >> compare dev/inode pairs before and after. > > OK, but for systems which do have O_NOFOLLOW, this isn't necessary and > less efficient than just using O_NOFOLLOW. So can't this test be made > conditional for systems lacking O_NOFOLLOW?
For that one yes, but there is a more insidious attack. The case in which a partially processed (visited just once so far) directory is renamed to reside at a different level in the file system hierarchy must also be detected. There, O_NOFOLLOW doesn't help at all. It can be detected upon traversing a ".." link only by comparing prior and current dev/ino pairs.
