[PATCH v2 0/3] Support opening a symlink with O_PATH | O_NOFOLLOW

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Jan 13 18:39:00 GMT 2020 

On Jan 13 19:34, Corinna Vinschen wrote:
> On Jan 13 16:53, Ken Brown wrote:
> > On 1/13/2020 10:28 AM, Corinna Vinschen wrote:
> > > On Dec 29 17:56, Ken Brown wrote:
> > >> [...]
> > >> Note: The man page mentions fchownat and linkat also.  linkat already
> > >> supports the AT_EMPTY_PATH flag, so nothing needs to be done.  But I
> > >> don't understand how this could work for fchownat, because fchown
> > >> fails with EBADF if its fd argument was opened with O_PATH.  So I
> > >> haven't touched fchownat.
> > > 
> > > It was never supposed to work that way.  We can make fchownat work
> > > with AT_EMPTY_PATH, but using it on a file opened with O_PATH
> > > contradicts the Linux open(2) man page, afaics:
> > > 
> > >   O_PATH (since Linux 2.6.39)
> > >    Obtain a file descriptor that can be used for two  purposes:  to
> > >    indicate a location in the filesystem tree and to perform opera‐
> > >    tions that act purely at the file descriptor  level.   The  file
> > >    itself  is not opened, and other file operations (e.g., read(2),
> > >    write(2), fchmod(2), fchown(2), fgetxattr(2), ioctl(2), mmap(2))
> > >                         ^^^^^^^^^
> > >    fail with the error EBADF.
> > >    ^^^^^^^^^           ^^^^^
> > > 
> > > That'd from the current F31 man pages.
> > > 
> > >> Am I missing something?
> > > 
> > > Good question.  Let me ask in return, did *I* now miss something?
> > 
> > I don't think so.  I think we agree, although maybe I didn't express myself 
> > clearly enough for that to be obvious.  What confused me was the following 
> > paragraph further down in the open(2) man page (still discussing O_PATH):
> > 
> >    If pathname is a symbolic link and the O_NOFOLLOW flag is also
> >    specified, then the call returns a file descriptor referring
> >    to the symbolic link.  This file descriptor can be used as the
> >    dirfd argument in calls to fchownat(2), fstatat(2), linkat(2),
> >                               ^^^^^^^^^^^
> >    and readlinkat(2) with an empty pathname to have the calls
> >    operate on the symbolic link.
> 
> That's the part I missed, apparently.  Implementing fchownat like this
> may be a bit upside down.  The problem is that open(O_PATH) opens the
> file with query_read_attributes (aka READ_CONTROL | FILE_READ_ATTRIBUTES),
> to make sure the calls mentioned in the snippet I pasted don't succeed.  
> 
> If fchownat is supposed to work on a symlink like this, the easiest
> approach may be checking for this scenario in fchownat and calling
> lchown on the pathname instead.  Or something along these lines.

The alternative would be to open the sylink with more permissions, i.e.,
query_write_control, aka READ_CONTROL | WRITE_OWNER | WRITE_DAC |
FILE_WRITE_ATTRIBUTES.  I'm just hesitant to open up the descriptor
like this.  It probably allows too many actions on the descriptor
from user space...


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-patches/attachments/20200113/0f503d87/attachment.sig>

More information about the Cygwin-patches mailing list