Re: open() races in general

[glynn () SENSEI CO UK (Glynn Clements)]

Marc Heuse wrote:

> But now let's get to the "fix" proposed by some guys about checking the
> device number and inode number before opening the file (lstat) and
> afterwards (fstat).

OK, it should be open(), lstat(), fstat().

This approach isn't necessary in this particular case, as you are
checking the ownership, and the file is in a directory which
(hopefully) has the sticky bit set.

However, if this test isn't reliable (e.g. when you're creating a file
in a user's home directory), then you need the lstat/fstat test.

If you perform the lstat() after the file is opened, you can guarantee
that the target hasn't been removed and re-created with the same inode
number, as the inode can't be re-used while it is open.

Comparing the st_dev/st_ino pair with the results from fstat() ensures
that the lstat() really does refer to the file which you have opened.

The one case for which I don't know of a solution (and there may not
be one), is if a user creates a symlink to a device file or FIFO. In
this case, simply open()ing the target can cause undesired effects.

--
Glynn Clements <glynn () sensei co uk>