Miklos Szeredi <[EMAIL PROTECTED]> wrote:
>> >> For example, consider the classic symlink attack.
>> >> We're not supposed to follow symlinks and our system lacks support
>> >> for open's O_NOFOLLOW flag. So we lstat the target directory,
>> >> determine that it is indeed a directory, then open it. But between
>> >> the lstat and the open, someone moved it aside and replaced it with
>> >> a symlink to another directory. The only way to detect that is to
>> >> compare dev/inode pairs before and after.
>> >
>> > OK, but for systems which do have O_NOFOLLOW, this isn't necessary and
>> > less efficient than just using O_NOFOLLOW. So can't this test be made
>> > conditional for systems lacking O_NOFOLLOW?
>>
>> For that one yes, but there is a more insidious attack.
>>
>> The case in which a partially processed (visited just once so far)
>> directory is renamed to reside at a different level in the file system
>
> You mean a directory that is an ancestor of the current directory, but
> a descendant of the root of find is moved?
Yes.
>> hierarchy must also be detected. There, O_NOFOLLOW doesn't help at all.
>> It can be detected upon traversing a ".." link only by comparing prior
>> and current dev/ino pairs.
>
> Shouldn't holding the current directory open prevent the ancestor from
> changing inodes in this case?
No.
What's changed is the identity (dev/inode) of the parent directory,
once you try to chdir("..") "up" beyond the renamed directory.
