| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Apr 2016 15:25:16 -0400
From: Valdis.Kletnieks@...edu
To: Al Viro <viro@...IV.linux.org.uk>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC] a corner case of open(2)
On Tue, 26 Apr 2016 20:02:48 +0100, Al Viro said:
> > The biggest danger I can see is some shell script doing something like:
> >
> > foobar > $dir/$targetfile
> >
> > and $targetfile is unset. If we allow a program to get an open fd that refers
> > to a directory, what are the semantics of various operations on that fd?
>
> Huh? We certainly do allow to get an open fd that refers to a directory -
> how else could ls(1) possibly work? See getdents(2) - it does use an
> open file descriptor to specify the directory we operate upon.
Gaah.. I lost a few words in there - /bin/ls is *expecting* to operate on
a directory, so to calls getdents. I meant some generic program that
opened a directory in error, and was expecting to act on "stream of bytes"
> We also do not allow opening directories for *write*, and in that case EISDIR
> is the right error (and we do return it).
OK, that and ftruncate() are about the only ways to cause trouble with a
directory opened by accident...
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists