Re: UTF-8 practically vs. theoretically in the VFS API (was: Re:JFS default behavior)
From: Linus Torvalds
Date: Tue Feb 17 2004 - 15:53:43 EST
On Tue, 17 Feb 2004, Jamie Lokier wrote:
>
> Nope. That wouldn't help for a bundle of libraries that goes:
>
> 1. Eliminate "." and ".." components, leaving only leading ".."s.
Who does this anyway? It's wrong. It gives the wrong answer if there was a
symlink somewhere.
I remember this exact bug in gcc (I think), at some point - trying to
"optimize" the path "aa/bb/../cc" into "aa/cc" is WRONG WRONG WRONG. They
are not the same thing at all.
Any library that does the above is broken.
> 2. Reject path if it has a leading "..".
> 3. Shove it in a string with some other text and pass to other library.
>
> Next program does:
>
> 4. Extract path from string.
> 5. open ("/var/public/files/$PATH", ...)
>
> O_NODOTDOT won't protect against that.
Ok, so explain why? O_NODOTDOT will certainly guarantee that it stays
inside "/var/public/files", since it has no way to escape (modulo
symlinks/mounts, of course).
The point being that with O_NODOTDOT | O_NOMOUNT | O_NOFOLLOW, you can
just do a simple "prepend my beginning pathname" operation, and do the
open that way without having to be careful.
Then, if the thing fails, you now need to be really careful, and perhaps
do a user-space "walk one component at a time" thing to see where it
failed. But what the O_NODOTDOT | O_NOMOUNT | O_NOFOLLOW thing gave you is
that you get a fast-path for the common case (ie you don't _always_ have
to do the "walk one component at a time" crud - only if you hit a case you
might be worried about).
(Now, O_NOMOUNT isn't actually useful if you use an absolute path like the
above example - it kind of assumes that you start from pwd which woul dbe
your "safe point", and that you expect all "safe" files to be under that
one filesystem. With an absolute path, you'll clearly often end up having
to cross mount-points unless your whole thing is on the root filesystem,
which kind of makes O_NOMOUNT useless in the first place).
Btw, right now O_NOMOUNT isn't a big issue, since only root can mount
things anyway. But if we start allowing user mounts (likely with
restrictions like you can only mount if the mount-point is owned by you
and writable), O_NOMOUNT may actually become a good idea.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/