[15956] in Athena Bugs
Re: saferm
daemon@ATHENA.MIT.EDU (Thomas Bushnell, n/BSG)
Thu May 28 15:30:46 1998
Date: Thu, 28 May 1998 15:30:44 -0400
From: tb@MIT.EDU (Thomas Bushnell, n/BSG)
To: kcr@MIT.EDU
Cc: bugs@MIT.EDU
In-Reply-To: Karl Ramm's message of 28 May 1998 15:13:52 -0400
<uusogwi2opb.fsf@pertinent-quantum-oddity.mit.edu>
From: Karl Ramm <kcr@MIT.EDU>
Date: 28 May 1998 15:13:52 -0400
What should have happened:
saferm should've done one of the follwing
a. removed everything in the directory (bad)
b. refused to deal with directories with files other than . and ..
in them, and removed . and .. before unlinking the "empty"
directories. (better)
c. refused to remove directories, mimicing the behavior of rm. (best)
I agree that (c) is best.
There's an unfortunate race condition here, however, which is that
between the stat which checks to see that it's not a directory, and
the actual unlink the user might have removed a regular file himself
and substituted a directory, and then the unlink loses.
This means that on systems where root is able to unlink directories,
there is no reliable way for root to do unlinks on behalf of users.
I don't know an easy way to avoid this, but I'm working on changes to
at least do the right thing modulo the race condition.
(I found two other problems in the code as well; it should do an fsync
after the zeroing, and it should do the zeroing after the unlink.)
I'll submit these changes for source review later today.
Thomas
