Re: Names vs. Inodes

From: Crispin Cowan (crispinat_private)
Date: Thu Jul 19 2001 - 13:37:30 PDT

  • Next message: Chris Wright: "Re: Names vs. Inodes" 

    Valdis.Kletnieksat_private wrote:

> On Wed, 18 Jul 2001 15:32:48 PDT, Crispin Cowan <crispinat_private>  said:
> > If someone has a practical, detailed way to construct the name, please
> > speak up.  Note that it is not sufficient to be able to construct *some*
> > name that *could* have been used to open the file: we need the actual name
> > that was used to make the request.
> I'm curious how you can reconstruct the name for this sequence:
>
>         mkdir("/tmp/foo");
>         cd("/tmp/foo");
>         rmdir("/tmp/foo");
>         /* run for a while */
>         int whatname_for_fd = open("bar");

We (more or less) implemented this program to see what would happen
(attached).  Changes from Valdis' code:

   * "cd" became "chdir"
   * "open" became "creat", because otherwise open just fails because the file
     is non-existant

> namei() will work off '.' which is still around as long as it's the process
> current directory - but '.' isn't attached to a name anymore.
>
> Given that some other process can create a new /tmp/foo in the meantime, I
> think that the right term here is "basically intractable".  The file created
> by the open() call *has* no name in the file system.

When run, this program gets an EACCES error if the rmdir is left in place, and
works successfully without the rmdir.

Therefore, the above sequence will never occur: DAC will just reject it.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


#include <stdio.h>

main() {
	int	result;

	result = mkdir("/tmp/foo");
	printf("mkdir %d\n", result);
	result = chdir("/tmp/foo");
	printf("chdir %d\n", result);
	// result = rmdir("/tmp/foo");
	// printf("rmdir %d\n", result);

	sleep(10);

	result=creat("bar");
	printf("result=%d\n", result);
}



_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 13:39:39 PDT