IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Comments on draft-ietf-secsh-filexfer-05.txt



On Mon, 22 Mar 2004, David Wagner wrote:

> Damien Miller  wrote:
> >I think that SSH_FXP_OPEN should support a flag to stop it from
> >following symlinks, like O_NOFOLLOW on some Unices.
> >
> >Without something like this, I believe that SSH_FXP_FSTAT isn't very
> >useful as a race-free means to collect attributes. One could end up
> >following a symlink unless one checks it first - which opens another race.
> 
> Even with O_NOFOLLOW, there are still race attacks.
> Consider opening /tmp/foo/bar/baz; O_NOFOLLOW only ensures
> that baz isn't a symlink, but makes no promises about foo or bar.

I don't see the race condition there: nofollow only applies to the last 
component of the path. Once you have opened it using nofollow, you have an 
open handle on which you may issue FSTATs, which are race-free. What am I 
missing?

> Maybe clients should be instructed not to rely on the filesystem
> to be the same across multiple operations.  SSH_FXP_FSTAT then
> SSH_FXP_OPEN is just as vulnerable to races as fstat() then open().

I don't understand, FSTAT operates on a handle returned by OPEN, not a 
pathname.

-d



Home | Main Index | Thread Index | Old Index