[PATCH 1/5] tlshd: Fix a minor race

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chuck Lever <cel@kernel.org>
To: <kernel-tls-handshake@lists.linux.dev>
Cc: Chuck Lever <chuck.lever@oracle.com>
Subject: [PATCH 1/5] tlshd: Fix a minor race
Date: Tue, 10 Jun 2025 09:25:46 -0400	[thread overview]
Message-ID: <20250610132550.39715-2-cel@kernel.org> (raw)
In-Reply-To: <20250610132550.39715-1-cel@kernel.org>

From: Chuck Lever <chuck.lever@oracle.com>

Parfait complains about using a pathname to perform an access(2)
and then passing the same pathname to open(2). Between the access(2)
and the open(2) calls, the permissions can change. I think this is
harmless for tlshd, but all the same, let's clean this up.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 src/tlshd/config.c | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index be5d472c466a..f4907ebb1a54 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -140,7 +140,11 @@ static bool tlshd_config_read_datum(const char *pathname, gnutls_datum_t *data,
 
 	fd = open(pathname, O_RDONLY);
 	if (fd == -1) {
-		tlshd_log_perror("open");
+		if (access(pathname, F_OK))
+			tlshd_log_debug("tlshd cannot access \"%s\"",
+					pathname);
+		else
+			tlshd_log_perror("open");
 		goto out;
 	}
 	if (fstat(fd, &statbuf)) {
@@ -198,7 +202,7 @@ bool tlshd_config_get_client_truststore(char **bundle)
 		g_error_free(error);
 		return false;
 	} else if (access(pathname, F_OK)) {
-		tlshd_log_debug("client x509.truststore pathname \"%s\" is not accessible", pathname);
+		tlshd_log_debug("tlshd cannot access \"%s\"", pathname);
 		g_free(pathname);
 		return false;
 	}
@@ -234,10 +238,6 @@ bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
 	if (!pathname) {
 		g_error_free(error);
 		return false;
-	} else if (access(pathname, F_OK)) {
-		tlshd_log_debug("client x509.certificate pathname \"%s\" is not accessible", pathname);
-		g_free(pathname);
-		return false;
 	}
 
 	if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
@@ -282,10 +282,6 @@ bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey)
 	if (!pathname) {
 		g_error_free(error);
 		return false;
-	} else if (access(pathname, F_OK)) {
-		tlshd_log_debug("client x509.private_key pathname \"%s\" is not accessible", pathname);
-		g_free(pathname);
-		return false;
 	}
 
 	if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
@@ -336,7 +332,7 @@ bool tlshd_config_get_server_truststore(char **bundle)
 		g_error_free(error);
 		return false;
 	} else if (access(pathname, F_OK)) {
-		tlshd_log_debug("server x509.truststore pathname \"%s\" is not accessible", pathname);
+		tlshd_log_debug("tlshd cannot access \"%s\"", pathname);
 		g_free(pathname);
 		return false;
 	}
@@ -372,10 +368,6 @@ bool tlshd_config_get_server_certs(gnutls_pcert_st *certs,
 	if (!pathname) {
 		g_error_free(error);
 		return false;
-	} else if (access(pathname, F_OK)) {
-		tlshd_log_debug("server x509.certificate pathname \"%s\" is not accessible", pathname);
-		g_free(pathname);
-		return false;
 	}
 
 	if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
@@ -420,10 +412,6 @@ bool tlshd_config_get_server_privkey(gnutls_privkey_t *privkey)
 	if (!pathname) {
 		g_error_free(error);
 		return false;
-	} else if (access(pathname, F_OK)) {
-		tlshd_log_debug("server x509.privkey pathname \"%s\" is not accessible", pathname);
-		g_free(pathname);
-		return false;
 	}
 
 	if (!tlshd_config_read_datum(pathname, &data, TLSHD_OWNER,
-- 
2.49.0

next prev parent reply	other threads:[~2025-06-10 13:25 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-10 13:25 [PATCH 0/5] Kick off ktls-utils 1.2 development Chuck Lever
2025-06-10 13:25 ` Chuck Lever [this message]
2025-06-10 13:25 ` [PATCH 2/5] tlshd: Remove unneeded variable "error" Chuck Lever
2025-06-10 13:25 ` [PATCH 3/5] workflows: Limit permission of the makefile.yml action Chuck Lever
2025-06-10 13:25 ` [PATCH 4/5] tlshd: Add default keyrings for NFS Chuck Lever
2025-06-10 13:25 ` [PATCH 5/5] tlshd: Relocate TLSHD_ALLPERMS Chuck Lever

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:be5d472c466 dfblob:f4907ebb1a5 )
 OR (
bs:"[PATCH 1/5] tlshd: Fix a minor race" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250610132550.39715-2-cel@kernel.org \
    --to=cel@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=kernel-tls-handshake@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.