lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 20 Dec 2017 20:18:44 +0100
From:   Pali Rohár <>
Subject: Race-free unlinking of directory entries


Linux kernel currently does not provide any race-free way for calling
unlink() syscall on file entry which points to opened file descriptor.

On the other hand Linux kernel already provides race-free way for
creating file entry by linkat() syscall with AT_EMPTY_PATH or
AT_SYMLINK_FOLLOW flags. unlinkat() does not.

There was already discussion about unlink issue in bugzilla:

Because file descriptor describes inode number which can be stored in
more directories as hard links, there is a proposed funlinkat() syscall
with following API:

int funlinkat(int fd, int dirfd, const char *pathname, int flags);

It should atomically check if file descriptor fd and pathname (according
to dirfd) are same, and if then just unlinkat(dirfd, pathname, flags).
If are not same, throw error.

What userspace application basically needs:

Open file, test it stat (or probably content) and based on test result
decide if file needs to be removed or not.

Or delete a file behind a file descriptor opened with O_PATH.

Both cases are currently not possible without introducing race condition
between open/stat and unlink. Between those two calls, some other
process can exchange files.

Pali Rohár

Powered by blists - more mailing lists