This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/15763] shm_open/unlink let you write outside SHMDIR
- From: "bugdal at aerifal dot cx" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sat, 20 Jul 2013 19:07:37 +0000
- Subject: [Bug libc/15763] shm_open/unlink let you write outside SHMDIR
- Auto-submitted: auto-generated
- References: <bug-15763-131 at http dot sourceware dot org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=15763
--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> ---
EISDIR does not really make sense because, from the API standpoint of POSIX
SHM, "directories" do not exist in this namespace. Of course a malicious
program can create directories under /dev/shm, though, leading to an error
condition that programs must be able to deal with. I'm not sure what the best
error code would be.
How would you propose checking for directories? The obvious robust approach is
fstat, but that does increase the cost of each shm_open operation moderately.
If you just want to reject invalid names, "." and ".." would be the only two
that need consideration. But if you want to protect applications from
maliciously-created directories, the fstat approach might be needed.
By the way, I'm fairly sure that such directories are not relevant to programs
that use shm_open in a secure manner. Such programs must have the first user
open the file with O_EXCL|O_CREAT, and notify other users out-of-band of the
filename for the shared memory object. Otherwise there is no way of knowing
(within the SHM API) whether the object you opened belongs to another malicious
user; the possibility that it's a directory is a much lesser danger than the
possibility that it's an actual shared memory object owned by another user. So
I rather question whether protection against directories matters.
--
You are receiving this mail because:
You are on the CC list for the bug.