Ok. But I assume the application for this is something like /usr/share to
which noone would have write privileges to (I would hope). I doubt anyone
would want to run it on /home... and if they do they most likely don't care
about security too much anyway... (-;
>Think what happens if root does that for /tmp/foo and some luser has write
>permissions on /tmp/foo/bar. There is a window between execve() on chmod(1)
>and call of chmod(2) and during that window luser can replace /tmp/foo/bar/baz
>to symlink to /etc and leave root doing chmod("/tmp/foo/bar/baz/shadow",
>0744);
>
>Not that chmod(1) was any better at that... It should've been keeping
>all chain between the root of subtree and parent of file we currently
>handling opened and do open()/fstat()/fchdir() to go down and fchdir()
>to go up. Then all calls of chmod(2) would be for files in current
>directory, which prevents symlink attacks.
>
>Moral: think _very_ hard when you write any tree-walking code that will
>ever be used on a tree writable to somebody else.
Point taken. I will keep it in mind when implementing ACLs (and ACL
inheritance in particular) in NTFS. That will involve walking back to the
volume's root to establish the inherited rights... which might perhaps lend
itself to simillar abuse.
Cheers,
Anton
-- "I've not lost my mind. It's backed up on tape somewhere." - Unknown-- Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @) Linux NTFS Maintainer / WWW: http://linux-ntfs.sf.net/ ICQ: 8561279 / WWW: http://www-stu.christs.cam.ac.uk/~aia21/- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/