Re: Race condition in "rm -r"

[chris_calabrese () YAHOO COM (Chris Calabrese)]

Another method to solve this rather than doing a stat
of '.' after the chdir is to eliminate the race
condition by using fchdir() rather than chdir().

If open() took a flag telling it to not traverse
sym-links, this code would be really simple:

  ...readdir(..., nextentry)...
  ...nextlevel=open(nextlevel, O_NOFOLLOW...)...
  ...fchdir(nextlevel)...

Unfortunately, open doesn't have such a flag, so we
need an extra lstat(nextentry.d_name) after the
fchdir() to make sure we didn't.

Overall this may seem roughly the same amount of code
as the extra stat("."), but this code also guarantees
that the structure won't change out from under us on
the way back up the tree (since we have open file
descriptors).  This does come at the expense of lots
of extra file descriptors being consumed, but that's
not a problem on most modern OS'.

BTW, did you send this to CERT as well?  Given that
most of the commercial Unixen all have the same code
base for 'rm -r' and 'chmod/chgrp/chown -R', this
problem probably also exists in HP-UX, AIX, UnixWare,
True64, IRIX, etc., etc., and CERT is the right entity
to coordinate such a cross-vendor bug fix.

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/