emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Race-condition ?


From: David Kastrup
Subject: Re: Race-condition ?
Date: Fri, 24 Jun 2005 23:01:50 +0200
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux)

Eli Zaretskii <address@hidden> writes:

>> From: address@hidden (=?iso-8859-1?Q?Ga=EBtan?= LEURENT)
>> Date: Fri, 24 Jun 2005 17:07:57 +0200
>> 
>> >    * fileio.c (Frename_file): Preserve owner and group, if possible,
>> >    when copying.
>> 
>> This is done with a call to chown, and I think this is a source of
>> race-conditions, like the one that was recently discovered in bzip2
>> (someone could have replaced the file by a link to another file between
>> Fcopy_file and chown).
>
> So?  What problems would that cause, except defeating the call to
> chown itself?  Previous versions of Emacs didn't call chown at all, so
> how is the current version worse?
>
> It's possible that this race condition is harmful in the context of
> bzip2, but that doesn't necessarily mean it's as harmful in Emacs.
>
>> I believe we should use fchown instead.
>
> Only if the danger is real, IMHO: fchown requires that we open the
> file, which is expensive.  If we go that way, we might as well check
> if we are root, and only open the file and call fchown if we are: no
> need to punish mere mortals if we know in advance the call will fail
> for them anyway.
>
>> In fileio.c there is also a call to chmod in copy-file which seem to
>> suffer the same problem. This one is also in emacs 21.4.
>
> Yeah, and many versions before that.
>
> Anyway, how portable are fchown and fchmod?  If not all platforms
> support them, we shouldn't introduce them without an Autoconf test.

I fail to see the advantage of using chown, or using fopen and
fchown.  In both cases the file name can be changed to refer to
something else before the operation starts.

The only situation where fchown offers any advantage is where you
_already_ have a file open, like when you write the file after fopen,
and then change its permissions.

That is, the owner change must be accomplished in something like
write-region, or it is pointless.  As an isolated operation,
fopen/fchown offers no advantage whatsoever.

You could conceivable to fopen, followed by fstat, check that you are
not talking about a symbolic link, and only then to fchown, and this
would be safe against symlink attacks.

But apart from that, I see no specific advantage.

-- 
David Kastrup, Kriemhildstr. 15, 44793 Bochum




reply via email to

[Prev in Thread] Current Thread [Next in Thread]