Re: rm-ing files with open file descriptors

Kai Henningsen (kaih@khms.westfalen.de)
19 Jan 2002 19:44:00 +0200


viro@math.psu.edu (Alexander Viro) wrote on 19.01.02 in <Pine.GSO.4.21.0201190627310.3523-100000@weyl.math.psu.edu>:

> On Sat, 19 Jan 2002, Miquel van Smoorenburg wrote:
>
> > This could be hacked around ofcourse in fs/namei.c, so I tried
> > it for fun. And indeed, with a minor correction it works:
> >
> > % perl flink.pl
> > Success.
> >
> > I now have a flink-test2.txt file. That is pretty cool ;)
>
> It's also a security hole.

It may well be one when going via /proc. But is it one when going via a
(hypothetical) proper flink(2)? If so, why?

Note that every process who has a filehandle open for reading can already
get at the file contents and write them to a completely new file, and
every process who has it open for writing can already change its contents
to everything it likes. So I can see read|write checks on the file handle.
Also all the usual link(2) checks. What else could be a hole?

MfG Kai
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/