* openat, mkdirat, and TOCTOU for directory creation
@ 2021-02-27 14:27 Drew DeVault
2021-02-27 17:58 ` Aleksa Sarai
0 siblings, 1 reply; 3+ messages in thread
From: Drew DeVault @ 2021-02-27 14:27 UTC (permalink / raw)
To: linux-fsdevel
Hiya! I'm looking into the mkdirat and openat syscalls, and I noticed
that there's no means of implementing TOCTOU (time-of-check to
time-of-use, a technique for preventing race conditions) on directory
creation.
To create a directory and obtain a dirfd for it, you have to (1)
mkdirat, then (2) openat with O_DIRECTORY, and if the directory is
removed in between, the latter will fail.
One possibly straightforward solution is to support openat with the
O_DIRECTORY and O_CREAT flags specified.
The present behavior of this flag combination is to create a file and
return ENOTDIR. The appropriate behavior is probably to create a
directory as proposed, or, at a minimum, to return EINVAL and not create
the file.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: openat, mkdirat, and TOCTOU for directory creation
2021-02-27 14:27 openat, mkdirat, and TOCTOU for directory creation Drew DeVault
@ 2021-02-27 17:58 ` Aleksa Sarai
2021-02-27 20:03 ` Drew DeVault
0 siblings, 1 reply; 3+ messages in thread
From: Aleksa Sarai @ 2021-02-27 17:58 UTC (permalink / raw)
To: Drew DeVault; +Cc: linux-fsdevel
[-- Attachment #1: Type: text/plain, Size: 1451 bytes --]
On 2021-02-27, Drew DeVault <sir@cmpwn.com> wrote:
> Hiya! I'm looking into the mkdirat and openat syscalls, and I noticed
> that there's no means of implementing TOCTOU (time-of-check to
> time-of-use, a technique for preventing race conditions) on directory
> creation.
>
> To create a directory and obtain a dirfd for it, you have to (1)
> mkdirat, then (2) openat with O_DIRECTORY, and if the directory is
> removed in between, the latter will fail.
>
> One possibly straightforward solution is to support openat with the
> O_DIRECTORY and O_CREAT flags specified.
This was discussed last year[1]. I think it would be useful but it
shouldn't be done as part of openat(2) because we already have enough
multiplexing with that syscall.
Maybe a mkdirat2(2) (which takes a flags argument -- sigh) that can be
told to return a handle to the new directory would be a nicer API.
> The present behavior of this flag combination is to create a file and
> return ENOTDIR. The appropriate behavior is probably to create a
> directory as proposed, or, at a minimum, to return EINVAL and not create
> the file.
Changing the semantics of open scares me a fair bit -- you could
probably change openat2(2) since it's not as widely used yet.
[1]: https://lore.kernel.org/linux-fsdevel/20200316142057.xo24zea3k5zwswra@yavin/
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: openat, mkdirat, and TOCTOU for directory creation
2021-02-27 17:58 ` Aleksa Sarai
@ 2021-02-27 20:03 ` Drew DeVault
0 siblings, 0 replies; 3+ messages in thread
From: Drew DeVault @ 2021-02-27 20:03 UTC (permalink / raw)
To: Aleksa Sarai; +Cc: linux-fsdevel
On Sat Feb 27, 2021 at 12:58 PM EST, Aleksa Sarai wrote:
> Maybe a mkdirat2(2) (which takes a flags argument -- sigh) that can be
> told to return a handle to the new directory would be a nicer API.
That seems appropriate. Hear hear on the sigh.
> Changing the semantics of open scares me a fair bit -- you could
> probably change openat2(2) since it's not as widely used yet.
Seems agreeable, at least for a start.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-27 20:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-27 14:27 openat, mkdirat, and TOCTOU for directory creation Drew DeVault
2021-02-27 17:58 ` Aleksa Sarai
2021-02-27 20:03 ` Drew DeVault
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).