safe_rename() and verifying the result of link(2)
Steffen Nurpmeso
steffen at sdaoden.eu
Thu Aug 23 23:16:42 UTC 2018
Derek Martin wrote in <20180823050819.GA20356 at bladeshadow.org>:
|On Wed, Aug 22, 2018 at 11:12:39AM -0700, Kevin J. McCarthy wrote:
|> On Wed, Aug 22, 2018 at 10:04:12AM -0500, Derek Martin wrote:
...
|> Steffen's cautions apply to dotlock code, which is a different case and
|> is not affected by this change.
|
|It's fundamentally the same thing though. The mechanism for dotlock
|works like this:
|
| - create a secure temporary file (with O_EXCL).
| This ensures that the file we're opening for the lock has not been
| subverted by another process, potentially an attacker.
| - stat the file
This does not happen for the traditional BSD code.
| - link the file to canonical name
| If the link succeeds, we have the lock, but the rc from link is
| unreliable, so...
| - stat the file again using the new link
| Here, we compare the inode and/or make sure the link count has
| increased, to ensure we're really dealing with the same file...
No, instead stat(2) is called on the temporary file, and if that
has a link count of 2 then we have won the race on the lock file.
| - write the PID to the lock file
| - unlink the temporary file
|
|Exact details may vary slightly, but that's the essence of it. This
|is almost exactly what _maildir_commit_message() (and safe_rename())
|does, for largely the same reasons, though the purpose of the file is
|different.
I do not know.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the Mutt-dev
mailing list