Re: rm-ing files with open file descriptors

Richard Kettlewell (rjk@terraraq.org.uk)
Sun, 20 Jan 2002 15:30:39 +0000


kaih@khms.westfalen.de (Kai Henningsen) writes:
> viro@math.psu.edu (Alexander Viro) wrote:
>> On Sat, 19 Jan 2002, Miquel van Smoorenburg wrote:

>>> I now have a flink-test2.txt file. That is pretty cool ;)
>>
>> It's also a security hole.
>
> It may well be one when going via /proc. But is it one when going
> via a (hypothetical) proper flink(2)? If so, why?
>
> Note that every process who has a filehandle open for reading can
> already get at the file contents and write them to a completely new
> file, and every process who has it open for writing can already
> change its contents to everything it likes. So I can see read|write
> checks on the file handle. Also all the usual link(2) checks. What
> else could be a hole?

If the file descriptor you have was opened O_RDONLY, but you have
write permission on the file itself, then creating a new name for it
would allow you to open it O_RDWR.

I'm not 100% convinced by this argument. If you really want a
particular user not to be able to write to a file, the certain answer
is to set its permissions appropriately, rather than rely on it having
no name.

One could make the hypothetical flink(2) only work on O_RDWR file
descriptors, or only on files owned by the euid of the calling
process.

-- 
http://www.greenend.org.uk/rjk/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/