From: Abramo Bagnara <abramo@alsa-project.org>
To: Alexander Viro <viro@math.psu.edu>
Cc: Ben LaHaise <bcrl@redhat.com>,
torvalds@transmeta.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH]device arguments from lookup)
Date: Sat, 19 May 2001 17:10:56 +0200 [thread overview]
Message-ID: <3B068D00.95338099@alsa-project.org> (raw)
In-Reply-To: <Pine.GSO.4.21.0105190940310.5339-100000@weyl.math.psu.edu>
Alexander Viro wrote:
>
> Folks, before you get all excited about cramming side effects into
> open(2), consider the following case:
>
> 1) opening "/dev/zero/start_nuclear_war" has a certain side effect.
>
> 2) Local user does the following:
> ln -sf /dev/zero/start_nuclear_war bar
> while true; do
> mkdir foo
> rmdir foo
> ln -sf bar foo
> rm foo
> done
>
> 3) Comes the night and root runs (from crontab) updatedb(8). Said beast
> includes find(1). With sufficiently bad timing find _will_ be tricked
> into attempt to open foo. It will honestly lstat() it, all right. But
> there's no way to make sure that subsequent open() on the found directory
> will get the same object.
>
> 4) Side effect happens...
>
> Similar scenarios can be found for other programs run by/as root, but I
> think that the point is obvious - side effects on open() are not a good
> idea. Yes, we can play with checking for O_DIRECTORY, yodda, yodda, but
> I wouldn't bet a dime on security of a system with such side effects.
> A lot of stuff relies on the fact that close(open(foo, O_RDONLY)) is a
> no-op. Breaking that assumption is a Bad Thing(tm).
Can't this easily avoided if the needed action is not
< /dev/zero/start_nuclear_war
or
> /dev/zero/start_nuclear_war
but
echo "I'm evil" > /dev/zero/start_nuclear_war
?
--
Abramo Bagnara mailto:abramo@alsa-project.org
Opera Unica Phone: +39.546.656023
Via Emilia Interna, 140
48014 Castel Bolognese (RA) - Italy
ALSA project http://www.alsa-project.org
It sounds good!
next prev parent reply other threads:[~2001-05-19 15:11 UTC|newest]
Thread overview: 161+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-05-19 6:23 [RFD w/info-PATCH] device arguments from lookup, partion code in userspace Ben LaHaise
2001-05-19 6:57 ` [RFD w/info-PATCH] device arguments from lookup, partion code inuserspace Andrew Clausen
2001-05-19 7:04 ` Alexander Viro
2001-05-19 7:23 ` Andrew Clausen
2001-05-19 8:30 ` Alexander Viro
2001-05-19 10:13 ` Andrew Clausen
2001-05-19 14:02 ` [RFD w/info-PATCH] device arguments from lookup, partion code Alan Cox
2001-05-19 16:48 ` Erik Mouw
2001-05-19 17:45 ` Aaron Lehmann
2001-05-19 19:38 ` Erik Mouw
2001-05-19 20:53 ` Steven Walter
2001-05-19 18:51 ` Richard Gooch
2001-05-20 2:18 ` Matthew Wilcox
2001-05-20 2:22 ` Richard Gooch
2001-05-20 2:34 ` Matthew Wilcox
2001-05-20 2:48 ` Richard Gooch
2001-05-20 3:26 ` Linus Torvalds
2001-05-20 10:23 ` Russell King
2001-05-20 10:35 ` Alexander Viro
2001-05-20 18:46 ` Linus Torvalds
2001-05-20 18:57 ` Russell King
2001-05-20 19:10 ` Linus Torvalds
2001-05-20 19:42 ` Alexander Viro
2001-05-20 20:07 ` Alan Cox
2001-05-20 20:33 ` Alexander Viro
2001-05-20 23:59 ` Paul Fulghum
2001-05-21 0:36 ` Alexander Viro
2001-05-21 3:08 ` Paul Fulghum
2001-05-20 20:07 ` Alan Cox
2001-05-20 23:46 ` Ingo Molnar
2001-05-21 0:32 ` Alexander Viro
2001-05-21 3:12 ` Linus Torvalds
2001-05-21 19:32 ` Kai Henningsen
2001-05-23 1:15 ` Albert D. Cahalan
2001-05-20 2:36 ` Alexander Viro
2001-05-20 2:51 ` Richard Gooch
2001-05-20 21:13 ` Pavel Machek
2001-05-21 20:20 ` Alan Cox
2001-05-21 20:41 ` Alexander Viro
2001-05-21 21:29 ` Alan Cox
2001-05-21 21:51 ` Alexander Viro
2001-05-21 21:56 ` Alan Cox
2001-05-21 22:10 ` Linus Torvalds
2001-05-21 22:22 ` Alexander Viro
2001-05-22 2:28 ` Paul Mackerras
2001-05-22 15:41 ` Oliver Xymoron
2001-05-22 13:33 ` Jan Harkes
2001-05-22 16:30 ` Linus Torvalds
2001-05-22 0:22 ` Ingo Oeser
2001-05-22 0:57 ` Matthew Wilcox
2001-05-22 1:13 ` Linus Torvalds
2001-05-22 1:18 ` Matthew Wilcox
2001-05-22 7:49 ` Alan Cox
2001-05-22 15:31 ` Matthew Wilcox
2001-05-22 15:31 ` Alan Cox
2001-05-22 15:38 ` Matthew Wilcox
2001-05-22 15:42 ` Alan Cox
2001-05-20 2:31 ` Alexander Viro
2001-05-20 16:57 ` David Woodhouse
2001-05-20 19:02 ` Linus Torvalds
2001-05-20 19:11 ` Alexander Viro
2001-05-20 19:18 ` Matthew Wilcox
2001-05-20 19:24 ` Alexander Viro
2001-05-20 19:34 ` Linus Torvalds
2001-05-20 19:27 ` Linus Torvalds
2001-05-20 19:33 ` Alexander Viro
2001-05-20 19:38 ` Linus Torvalds
2001-05-20 19:57 ` David Woodhouse
2001-05-21 13:57 ` Ingo Oeser
2001-05-19 9:11 ` [RFD w/info-PATCH] device arguments from lookup, partion code inuserspace Andrew Morton
2001-05-19 9:20 ` Alexander Viro
2001-05-19 7:58 ` Ben LaHaise
2001-05-19 8:10 ` Alexander Viro
2001-05-19 8:16 ` Ben LaHaise
2001-05-19 8:32 ` Alexander Viro
2001-05-19 9:42 ` [RFD w/info-PATCH] device arguments from lookup, partion code in userspace Christer Weinigel
2001-05-19 9:51 ` Christer Weinigel
2001-05-19 11:37 ` Eric W. Biederman
2001-05-19 14:25 ` Daniel Phillips
2001-05-21 8:14 ` Lars Marowsky-Bree
2001-05-22 9:07 ` Daniel Phillips
2001-05-19 13:53 ` Daniel Phillips
2001-05-19 13:57 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH] device arguments from lookup) Alexander Viro
2001-05-19 15:10 ` Abramo Bagnara [this message]
2001-05-19 15:18 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH]device " Alexander Viro
2001-05-19 16:01 ` Willem Konynenberg
2001-05-20 20:52 ` Pavel Machek
2001-05-20 20:53 ` Pavel Machek
2001-05-19 18:13 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH] device " Linus Torvalds
2001-05-19 23:19 ` Alexander Viro
2001-05-19 23:31 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH]device " Jeff Garzik
2001-05-19 23:32 ` Jeff Garzik
2001-05-19 23:39 ` Alexander Viro
2001-05-20 15:47 ` F_CTRLFD (was Re: Why side-effects on open(2) are evil.) Edgar Toernig
2001-05-20 16:20 ` Alexander Viro
2001-05-20 19:01 ` Edgar Toernig
2001-05-20 19:30 ` Alexander Viro
2001-05-21 17:16 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH]device arguments from lookup) Oliver Xymoron
2001-05-21 16:26 ` David Lang
2001-05-21 18:04 ` Oliver Xymoron
2001-05-21 20:14 ` Daniel Phillips
2001-05-22 15:24 ` Oliver Xymoron
2001-05-22 16:51 ` Daniel Phillips
2001-05-22 17:49 ` Oliver Xymoron
2001-05-22 20:22 ` Daniel Phillips
2001-05-23 4:19 ` Edgar Toernig
2001-05-23 4:50 ` Alexander Viro
2001-05-23 13:50 ` Daniel Phillips
2001-05-23 13:50 ` Daniel Phillips
2001-05-23 15:58 ` Oliver Xymoron
2001-05-24 0:23 ` Edgar Toernig
2001-05-24 7:47 ` Marko Kreen
2001-05-24 14:39 ` Oliver Xymoron
2001-05-24 15:20 ` CHR/BLK needed? was: Re: Why side-effects on open Marko Kreen
2001-05-24 17:12 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH]device Albert D. Cahalan
2001-05-24 17:25 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH]device arguments from lookup) Daniel Phillips
2001-05-24 20:59 ` Edgar Toernig
2001-05-24 21:26 ` Alexander Viro
2001-05-25 1:03 ` Daniel Phillips
2001-05-25 11:00 ` Daniel Phillips
2001-05-26 3:07 ` Edgar Toernig
2001-05-26 22:36 ` Daniel Phillips
2001-05-27 13:32 ` Edgar Toernig
2001-05-27 20:40 ` Ben LaHaise
2001-05-27 20:45 ` Daniel Phillips
2001-05-27 21:50 ` Marko Kreen
2001-05-28 1:26 ` Horst von Brand
2001-05-29 10:54 ` Daniel Phillips
2001-05-29 13:54 ` Horst von Brand
2001-05-19 23:52 ` Edgar Toernig
2001-05-20 0:18 ` Alexander Viro
2001-05-20 0:32 ` Linus Torvalds
2001-05-20 0:52 ` Jeff Garzik
2001-05-20 1:03 ` Jeff Garzik
2001-05-20 19:41 ` Why side-effects on open(2) are evil. (was Re: [RFD Alan Cox
2001-05-21 9:45 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH]device arguments from lookup) Andrew Clausen
2001-05-21 17:22 ` Oliver Xymoron
2001-05-22 18:53 ` Andreas Dilger
2001-05-24 9:20 ` Malcolm Beattie
2001-05-24 19:15 ` Andreas Dilger
2001-05-22 18:41 ` Andreas Dilger
2001-05-22 19:06 ` Linus Torvalds
2001-05-22 19:16 ` Peter J. Braam
2001-05-22 20:10 ` Andreas Dilger
2001-05-22 20:59 ` Peter J. Braam
2001-05-23 9:23 ` Stephen C. Tweedie
2001-05-24 21:07 ` Daniel Phillips
2001-05-24 22:00 ` Hans Reiser
2001-05-25 10:56 ` Daniel Phillips
2001-06-01 3:24 ` [reiserfs-list] " Hans Reiser
2001-05-23 9:13 ` Stephen C. Tweedie
2001-05-20 20:23 ` Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH] device " Pavel Machek
2001-05-21 20:38 ` Alexander Viro
2001-05-19 18:31 ` [RFD w/info-PATCH] device arguments from lookup, partion code in userspace Linus Torvalds
-- strict thread matches above, loose matches on Subject: below --
2001-05-19 14:19 Why side-effects on open(2) are evil. (was Re: [RFD w/info-PATCH] device arguments from lookup) Andries.Brouwer
2001-05-19 14:58 ` Alexander Viro
2001-05-19 16:41 Andries.Brouwer
2001-05-19 16:51 ` Alexander Viro
2001-05-19 17:14 ` Matthew Wilcox
2001-05-19 23:24 ` Alexander Viro
2001-05-20 11:18 ` Matthew Kirkwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3B068D00.95338099@alsa-project.org \
--to=abramo@alsa-project.org \
--cc=bcrl@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
--cc=viro@math.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox