Re: Comments on draft-ietf-secsh-filexfer-05.txt

To: David Wagner <daw-usenet%taverner.cs.berkeley.edu@localhost>
Subject: Re: Comments on draft-ietf-secsh-filexfer-05.txt
From: Damien Miller <djm%mindrot.org@localhost>
Date: Mon, 22 Mar 2004 16:15:49 -0700 (MST)

On Mon, 22 Mar 2004, David Wagner wrote:

> Damien Miller  wrote:
> >I think that SSH_FXP_OPEN should support a flag to stop it from
> >following symlinks, like O_NOFOLLOW on some Unices.
> >
> >Without something like this, I believe that SSH_FXP_FSTAT isn't very
> >useful as a race-free means to collect attributes. One could end up
> >following a symlink unless one checks it first - which opens another race.
> 
> Even with O_NOFOLLOW, there are still race attacks.
> Consider opening /tmp/foo/bar/baz; O_NOFOLLOW only ensures
> that baz isn't a symlink, but makes no promises about foo or bar.

I don't see the race condition there: nofollow only applies to the last 
component of the path. Once you have opened it using nofollow, you have an 
open handle on which you may issue FSTATs, which are race-free. What am I 
missing?

> Maybe clients should be instructed not to rely on the filesystem
> to be the same across multiple operations.  SSH_FXP_FSTAT then
> SSH_FXP_OPEN is just as vulnerable to races as fstat() then open().

I don't understand, FSTAT operates on a handle returned by OPEN, not a 
pathname.

-d

Follow-Ups:
- Re: Comments on draft-ietf-secsh-filexfer-05.txt
  - From: David Wagner

References:
- Re: Comments on draft-ietf-secsh-filexfer-05.txt
  - From: Joseph Galbraith
- Re: Comments on draft-ietf-secsh-filexfer-05.txt
  - From: Damien Miller
- Re: Comments on draft-ietf-secsh-filexfer-05.txt
  - From: David Wagner

Prev by Date: Re: Comments on draft-ietf-secsh-filexfer-05.txt
Next by Date: Re: Comments on draft-ietf-secsh-filexfer-05.txt
Previous by Thread: Re: Comments on draft-ietf-secsh-filexfer-05.txt
Next by Thread: Re: Comments on draft-ietf-secsh-filexfer-05.txt
Indexes:

Home | Main Index | Thread Index | Old Index