Add S_IFTRIGGER to st_mode [PSARC/2007/563 FastTrack timeout 10/04/2007]
Tom Haynes
Thomas.Haynes at Sun.COM
Thu Oct 4 21:15:55 PDT 2007
James Carlson wrote:
> Don Cragun writes:
>
>> This case tries to allow applications to determine that they
>> have just stat()ed a file that may generate a false positive. It does
>> do that. But there is still no way to determine whether the directory
>> opened by the opendir() was the requested directory or a spoofed
>> directory planted into the file hierarchy between the original *stat*()
>> call and the opendir() call.
>>
>
> Yes, that's exactly the point I was raising.
>
I think we are all in agreement with that statement and are expressing
our concerns
in different manners.
> The problem is that doing two stats after opendir() doesn't really add
> any security, as it doesn't cover for a race condition that anyone has
> been able to describe, so I think we ought to be direct and say that
> we are deliberately disabling this security check in this one case.
>
Agreed, I can't express the race condition that I believed was still there.
I also agree with the statement that we need to be direct here.
> I think the alternative (one that preserves the existing security
> checks) would be to add a new flag to fstatat(2).
>
That approach would trigger a mount before the call to fstatat(2). The
key design
point in my proposal is that we want to be able to detect that a
directory is a
trigger mount without actually triggering the mount.
More information about the opensolaris-arc
mailing list