From: Nick Kralevich <nnk@google.com>
To: musl@lists.openwall.com
Subject: faccessat and AT_SYMLINK_NOFOLLOW
Date: Wed, 4 Feb 2015 11:25:49 -0800 [thread overview]
Message-ID: <CAFJ0LnGGaKAAzwCJy6O7SX3zuvX5A+nVHL90no8+XTZqD4sghQ@mail.gmail.com> (raw)
In some sense, this is a continuation of the earlier thread at
http://www.openwall.com/lists/musl/2014/09/25/1 . That thread is the
only concrete discussion I can find describing the intended behavior
of faccessat and AT_SYMLINK_NOFOLLOW
I'm working on a modification to Android's libc for faccessat.
Currently, in Android's libc, faccessat() completely ignores any flags
argument, and just passes through the call to the kernel (dropping the
flags field).
I've proposed a modification to Android's libc to implement
AT_SYMLINK_NOFOLLOW (https://android-review.googlesource.com/128582).
By calling access() on /proc/self/fd/FDNUM, where FDNUM was created
using open(O_PATH | O_NOFOLLOW), we can ask the kernel to make an
access control decision on the symlink itself. The model was suggested
by Rich in https://sourceware.org/bugzilla/show_bug.cgi?id=14578
(although that was for a different bug).
However, as I've digged into this more, I'm more and more confused
about what the correct behavior should be for
faccessat(AT_SYMLINK_NOFOLLOW).
Imagine the following code:
symlink("foo.is.dangling", "foo");
if (faccessat(AT_FDCWD, "foo", R_OK, AT_SYMLINK_NOFOLLOW) == 0) {
int fd = openat(AT_FDCWD, "foo", O_RDONLY | O_NOFOLLOW);
}
For glibc, faccessat(AT_NOFOLLOW) will return true, since the symlink
exists and the permissions on the symlink allow access. (Symlinks on
Linux are always 777, so glibc considers any symlink to be globally
accessible)
However, the openat() call will fail, since the target is a symlink.
It seems to me that, if faccessat(R_OK, AT_SYMLINK_NOFOLLOW) returns
true, than the openat() should succeed (absent race conditions).
Similarly, if faccessat() returns false, then the openat() should
fail. To do so otherwise seems counter-intuitive to me.
I'm curious what others think the appropriate behavior of
faccessat(AT_SYMLINK_NOFOLLOW) should be. Clearly the glibc behavior
here is wrong, but I'm not sure what the right behavior should be...
--
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037
next reply other threads:[~2015-02-04 19:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-04 19:25 Nick Kralevich [this message]
2015-02-05 20:37 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFJ0LnGGaKAAzwCJy6O7SX3zuvX5A+nVHL90no8+XTZqD4sghQ@mail.gmail.com \
--to=nnk@google.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).