Re: Safe file update library ready (sort of)
On 03/01/11 14:10, Adam Borowski wrote:
There's a race condition:
while [ 1 ]; do ln -s /etc/passwd somefile.tmp; done
"Hey root, could you please use this program using libsafewrite on
'somefile'?"
Two questions:
1. Is this race a regression from the single file case?
2. Is this race avoidable?
In essence, it is impossible, as far as I know (patches welcome) to
avoid a race when symlinks are involved (with specific exceptions). The
assumption is, and has always been, that the directory resides inside a
location that is secure from attacks.
In this particular case, for example, you don't need this race at all.
Simply do "ln -s /etc/passwd somefile" and ask root to write to
somefile, with or without safewrite. That would work equally well, and
does not require to race with anything.
You might be wondering, if that is the case, why I'm unlinking
somefile.tmp before opening it with O_CREAT|O_TRUNC. The reason is that
it might have permissions (say, from a previous run that failed -
unlikely, but not impossible) that prevent proper functioning. It has
nothing to do with permissions.
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
Reply to: