Before this commit, we were passing around paths everywhere to specify
the targets of operations. This is not optimal from a security
standpoint: the best we can do to avoid following hard links is to
check whether or not a given file has more than one name. There is a
race condition inherent in that approach -- between when you stat the
file and when you use it, the number of names may change -- but using
paths makes that window larger than it has to be. There's no guarantee
that a path used at the bottom of apply_default_acl() will refer to
the same file that we called stat() on at the top of the function.
To work around that, most of the path handling functions have been
replaced with versions that use file descriptors. Now we are able to
stat() our file descriptor immediately after opening it, and the
descriptor itself will always refer to the same file. There's still
the smallest of windows for an exploit, but this makes it much safer
to call apply_default_acl() when there may be hard links present.
projects / apply-default-acl.git / commit