From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: readdir(3): behavior on descriptors with O_SEARCH
Date: Sun, 28 Aug 2016 12:20:37 -0400 [thread overview]
Message-ID: <20160828162037.GG15995@brightrain.aerifal.cx> (raw)
In-Reply-To: <CAMqzjevMQuhMOJiqatXOQ7jV32uXJ35ZN-7dQXMduPUUhmKkcg@mail.gmail.com>
On Sun, Aug 28, 2016 at 07:02:18PM +0300, Dmitry Selyutin wrote:
> Hi Rich,
>
> thank you for the detailed answer!
>
> > If a program is doing this then trying to fdopendir/readdir, it's a
> > bug in the program. A directory opened with O_SEARCH is only usable
> > for search (attempting to access a file/directory in that directory
> > by name, using one of the *at functions) not for reading. Unix has
> > always distinguished search (+x) and read (+r) permission for
> > directories and O_SEARCH vs O_RDONLY is similar.
> Well, that's probably the worst kind of bugs, since it was caused by
> misinterpretation of the documentation.
> That was written intentionally due to misunderstanding, so I really want to
> clarify the situation here.
> So does it mean that descriptors opened with O_SEARCH are usable only for
> *at functions?
> I've been under the impression that it's part of the O_PATH functionality,
> not O_SEARCH.
http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
O_RDONLY
Open for reading only.
...
O_SEARCH
Open directory for search only.
Note the word "only". Moreover it's clear from the permissions model
that you can't read from a directory opened for O_SEARCH, since
O_SEARCH does not require read permission; permission enforcement is
specific in the errors (and possibly elsewhere):
[EACCESS]
Search permission is denied on a component of the path prefix,
or the file exists and the permissions specified by oflag are
denied, or the file does not exist and write permission is
denied for the parent directory of the file to be created, or
O_TRUNC is specified and write permission is denied.
The relevant part of this text is "or the file exists and the
permissions specified by oflag are denied". If you could read from a
fd opened for O_SEARCH, you could bypass the check for "r" permission
at the fs level and read any directory to which you had "x"
permission. (In a sense you can do this anyway by brute-force search,
but that does not work when filenames in a +x-r directory are
sufficiently long and unpredictable, which is the case for secure uses
of +x-r.
> > It's been an ongoing fight even trying to get the kernel to reserve a
> > bit number for them. It looks like the correct course of action (the
> > one that's compatible with their non-action) is going to be using
> > O_PATH|3 for both of them. This allows userspace open to process
> > O_SEARCH and O_EXEC slightly differently from O_PATH (O_NOFOLLOW has
> > different semantics) and the kernel will ignore the extra access mode
> > bits with O_PATH anyway.
> At the same time, if I understand you correctly, you mean that O_PATH is a
> different beast than O_SEARCH.
Linux implemented O_PATH independently of POSIX O_SEARCH and O_EXEC,
not specifically with the intent to model them but rather to allow
more general things.
> I've found a mail in the DragonFly mailing list, which also slightly
> touches this topic[0].
> They also propose to use value 3 as currently unused value; I don't know if
> it is implemented yet.
> FWIW, neither OpenBSD nor FreeBSD provide O_SEARCH flag; the latter
> provides O_EXEC though.
Linux actually uses the value 3 for a wacky purpose: ioctl-only
opening of certain device nodes. Opening with mode 3 requires +rw
permissions. This was a huge waste of the value but I think they feel
obligated to keep it for compatibility.
> I finally have a good access to the Internet so I managed to find a
> detailed discussion on this topic[1].
> Sorry guys (and especially you, Rich) that I didn't find it before; it
> would have saved some questions earlier.
>
> Rich, could you please elaborate on the exact semantics of O_SEARCH flag?
> Again, thank you very much for your answer and for your patience!
My understanding is that you can use an O_SEARCH fd for the *at
functions and in any place where an operation is just being performed
on the fd (like fstat, fchown, etc.) where the open modes are not
relavant (e.g. fchown does not use the mode the file was opened with
but checks permissions at the time of the fchown). You definitely
cannot use it for read or write operations.
Rich
next prev parent reply other threads:[~2016-08-28 16:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAMqzjetOkwQ7wi4p3MY_HT46v6pVRh_eHSi6SbwC96qoz+ivFg@mail.gmail.com>
2016-08-27 18:23 ` Dmitry Selyutin
2016-08-28 7:10 ` Markus Wichmann
2016-08-28 8:12 ` Dmitry Selyutin
2016-08-28 9:02 ` Dmitry Selyutin
2016-08-28 15:06 ` Rich Felker
2016-08-28 16:02 ` Dmitry Selyutin
2016-08-28 16:20 ` Rich Felker [this message]
2016-08-28 17:14 ` Dmitry Selyutin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160828162037.GG15995@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).