Add S_IFTRIGGER to st_mode [PSARC/2007/563 FastTrack timeout 10/04/2007]
James Carlson
james.d.carlson at sun.com
Wed Oct 3 13:21:11 PDT 2007
Tom Haynes writes:
> James Carlson wrote:
> >
> > The part that tripped me up here was the double stat(). The actual
> > code seems to use a "stat-opendir-fstat-fstat" pattern, where that
> > first fstat is the "new" one, and is actually there just to dummy out
> > the results from the second one. (As a code review comment, it looks
> > like this dummying-out could be done by way of a boolean_t rather than
> > calling fstat() an extra time merely to overwrite &statb.)
> >
> >
>
> Hmm, with the fstat() as show in the code, I'd agree.
OK, then at least we're in sync there.
> But what I'm proposing is to redo the stat() and still do the security
> check. What if the directory
> had been moved? With autofs, this is very unlikely. With nfs, it can
> happen. My intent is to
> provide a mechanism to detect such edge conditions.
In that case, I don't follow. What security problem can you detect by
doing a stat() call _after_ having opened a file system node of any
sort?
Can you provide the details of a scenario in which some sort of
timing-based attack is caught by this fix?
Perhaps we're getting a bit too close to the point of design or code
review instead of architecture, but other than simply disabling the
security check, I don't see how the new feature contributes towards
additional security.
--
James Carlson, Solaris Networking <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
More information about the opensolaris-arc
mailing list