[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Safe file update library ready (sort of)

On 03/01/11 14:10, Adam Borowski wrote:

There's a race condition:

while [ 1 ]; do ln -s /etc/passwd somefile.tmp; done
"Hey root, could you please use this program using libsafewrite on

Two questions:
1. Is this race a regression from the single file case?
2. Is this race avoidable?

In essence, it is impossible, as far as I know (patches welcome) to avoid a race when symlinks are involved (with specific exceptions). The assumption is, and has always been, that the directory resides inside a location that is secure from attacks.

In this particular case, for example, you don't need this race at all. Simply do "ln -s /etc/passwd somefile" and ask root to write to somefile, with or without safewrite. That would work equally well, and does not require to race with anything.

You might be wondering, if that is the case, why I'm unlinking somefile.tmp before opening it with O_CREAT|O_TRUNC. The reason is that it might have permissions (say, from a previous run that failed - unlikely, but not impossible) that prevent proper functioning. It has nothing to do with permissions.


Shachar Shemesh
Lingnu Open Source Consulting Ltd.

Reply to: