Kamil Dudka wrote: ... >> > Any idea how to solve the problem? Thanks in advance! >> >> I don't see how we can justify any such change. >> Being able to detect whether the traversal returns to a previously >> visited directory is required for security and reliability. Weakening >> that device/inode equality check by removing the device comparison part >> would leave every fts-using tool open to a particularly subtle -- but >> nonetheless serious -- type of attack. > > That's exactly why I've written another patch. The patch proposed by me does > not bypass the ino/dev check on the return. It only updates the stat data > right after opening a directory.
Oh! I didn't look carefully enough at that one. Have you measured the performance penalty it incurs? I hope it is possible to do the same thing, but with less of a penalty. I'm afraid we'll have to do something like that one way or another. At best, the impact will be so small that we won't even have to provide a new "flag" to enable it.
