From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: "Meng, Bin" <Bin.Meng@windriver.com>
Cc: Greg Kurz <groug@kaod.org>,
qemu-devel@nongnu.org, Bin Meng <bmeng.cn@gmail.com>,
"Shi, Guohuai" <Guohuai.Shi@windriver.com>
Subject: Re: [PATCH 5/9] hw/9pfs: Add a 'local' file system backend driver for Windows
Date: Tue, 24 May 2022 14:23:27 +0200 [thread overview]
Message-ID: <2729855.OPLsDoUTax@silver> (raw)
In-Reply-To: <MN2PR11MB4173AA315105D173BC930E20EFC89@MN2PR11MB4173.namprd11.prod.outlook.com>
On Mittwoch, 11. Mai 2022 17:57:08 CEST Shi, Guohuai wrote:
> > -----Original Message-----
> > From: Greg Kurz <groug@kaod.org>
> > Sent: 2022年5月11日 20:19
> > To: Shi, Guohuai <Guohuai.Shi@windriver.com>
> > Cc: Christian Schoenebeck <qemu_oss@crudebyte.com>; qemu-devel@nongnu.org;
> > Meng, Bin <Bin.Meng@windriver.com>; Bin Meng <bmeng.cn@gmail.com>
> > Subject: Re: [PATCH 5/9] hw/9pfs: Add a 'local' file system backend driver
> > for Windows
[...]
> > This would be useless because of TOCTOU : a directory could be replaced by
> > a symlink between the check and the actual use of the file. O_NOFOLLOW
> > provides the atomicity needed to safely error out on symlinks. Since
> > O_NOFOLLOW only makes sense for the rightmost path element, paths from
> > the client have to be broken down into a succession of *at() syscalls,
> > one for each element.
>
>
> For Windows file system, it would be OK.
> Windows can not delete a opening file (this is different behavior between
> Windows file system driver and UNIX-like-inode-based file system). So when
> 9PFS try to open the final file, the following steps will keep it safe:
> 1. open the final file by Windows NT APIs and keep the open handle.
> 2. open the final file by MinGW open().
> 3. close NT handle.
>
> Windows file system does not allow delete/rename/move a opening file.
> Even Windows provide "FILE_SHARE_DELETE" flag in its NT API CreateFile().
> Windows allow to delete the opening file, but can not re-create same name.
> The following steps will be failure on Windows:
>
> 1. Open a directory by CreateFile() with "FILE_SHARE_DELETE" flag and keep
> the handle open.
> 2. Remove the directory.
> 3. Re-create same name directory/file/links.
>
> Windows will get failure on step #3.
>
> So I think checking if there is a link in filename would be safety on Window
> host.
Neither Greg nor me are working much with Windows. As this was a fundamental
security issue though, one way to bring this issue forward would be to backup
your claims with test case(s). Then we would also have a safety net e.g. via
CI cloud alerts in case behaviour on Windows changes one day.
Best regards,
Christian Schoenebeck
next prev parent reply other threads:[~2022-05-24 12:39 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-25 14:26 [PATCH 0/9] 9pfs: Add 9pfs support for Windows host Bin Meng
2022-04-25 14:26 ` [PATCH 1/9] hw/9pfs: Compile 9p-local.c and 9p-proxy.c for Linux and macOS Bin Meng
2022-04-25 14:26 ` [PATCH 2/9] qemu/xatth.h: Update for Windows build Bin Meng
2022-04-25 14:26 ` [PATCH 3/9] hw/9pfs: Extract common stuff to 9p-local.h Bin Meng
2022-04-25 14:27 ` [PATCH 4/9] fsdev: Add missing definitions for Windows in file-op-9p.h Bin Meng
2022-05-04 17:35 ` Christian Schoenebeck
2022-04-25 14:27 ` [PATCH 5/9] hw/9pfs: Add a 'local' file system backend driver for Windows Bin Meng
2022-05-04 18:01 ` Christian Schoenebeck
2022-05-04 19:34 ` Shi, Guohuai
2022-05-05 11:43 ` Christian Schoenebeck
2022-05-06 6:46 ` Shi, Guohuai
2022-05-09 14:29 ` Greg Kurz
2022-05-09 15:09 ` Shi, Guohuai
2022-05-09 16:20 ` Greg Kurz
2022-05-10 2:13 ` Shi, Guohuai
2022-05-10 2:17 ` Shi, Guohuai
2022-05-10 10:18 ` Christian Schoenebeck
2022-05-10 11:54 ` Christian Schoenebeck
2022-05-10 13:40 ` Greg Kurz
2022-05-10 14:04 ` Christian Schoenebeck
2022-05-10 14:34 ` Greg Kurz
2022-05-10 15:35 ` Shi, Guohuai
2022-05-11 11:18 ` Christian Schoenebeck
2022-05-11 12:18 ` Greg Kurz
2022-05-11 15:57 ` Shi, Guohuai
2022-05-24 12:23 ` Christian Schoenebeck [this message]
2022-04-25 14:27 ` [PATCH 6/9] hw/9pfs: Update 9p-synth.c for Windows build Bin Meng
2022-04-25 14:27 ` [PATCH 7/9] fsdev: Enable 'local' file system driver backend for Windows Bin Meng
2022-04-25 14:27 ` [PATCH 8/9] meson.build: Turn on virtfs for Windows host Bin Meng
2022-04-25 14:27 ` [PATCH 9/9] hw/9p: win32: Translate Windows error number to Linux value Bin Meng
2022-05-04 18:15 ` Christian Schoenebeck
2022-04-26 1:41 ` [PATCH 0/9] 9pfs: Add 9pfs support for Windows host Bin Meng
2022-05-03 3:42 ` Bin Meng
2022-05-04 17:16 ` Christian Schoenebeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2729855.OPLsDoUTax@silver \
--to=qemu_oss@crudebyte.com \
--cc=Bin.Meng@windriver.com \
--cc=Guohuai.Shi@windriver.com \
--cc=bmeng.cn@gmail.com \
--cc=groug@kaod.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.