[8581] in bugtraq
Re: open() races in general
daemon@ATHENA.MIT.EDU (Glynn Clements)
Tue Nov 17 11:20:21 1998
Date: Tue, 17 Nov 1998 05:43:33 +0000
Reply-To: Glynn Clements <glynn@SENSEI.CO.UK>
From: Glynn Clements <glynn@SENSEI.CO.UK>
X-To: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199811151812.TAA30431@Galois.suse.de>
Marc Heuse wrote:
> But now let's get to the "fix" proposed by some guys about checking the
> device number and inode number before opening the file (lstat) and
> afterwards (fstat).
OK, it should be open(), lstat(), fstat().
This approach isn't necessary in this particular case, as you are
checking the ownership, and the file is in a directory which
(hopefully) has the sticky bit set.
However, if this test isn't reliable (e.g. when you're creating a file
in a user's home directory), then you need the lstat/fstat test.
If you perform the lstat() after the file is opened, you can guarantee
that the target hasn't been removed and re-created with the same inode
number, as the inode can't be re-used while it is open.
Comparing the st_dev/st_ino pair with the results from fstat() ensures
that the lstat() really does refer to the file which you have opened.
The one case for which I don't know of a solution (and there may not
be one), is if a user creates a symlink to a device file or FIFO. In
this case, simply open()ing the target can cause undesired effects.
--
Glynn Clements <glynn@sensei.co.uk>
