public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "bugdal at aerifal dot cx" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/15763] shm_open/unlink let you write outside SHMDIR Date: Sat, 20 Jul 2013 19:09:00 -0000 [thread overview] Message-ID: <bug-15763-131-8gU6qFjLKq@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-15763-131@http.sourceware.org/bugzilla/> http://sourceware.org/bugzilla/show_bug.cgi?id=15763 --- Comment #3 from Rich Felker <bugdal at aerifal dot cx> --- EISDIR does not really make sense because, from the API standpoint of POSIX SHM, "directories" do not exist in this namespace. Of course a malicious program can create directories under /dev/shm, though, leading to an error condition that programs must be able to deal with. I'm not sure what the best error code would be. How would you propose checking for directories? The obvious robust approach is fstat, but that does increase the cost of each shm_open operation moderately. If you just want to reject invalid names, "." and ".." would be the only two that need consideration. But if you want to protect applications from maliciously-created directories, the fstat approach might be needed. By the way, I'm fairly sure that such directories are not relevant to programs that use shm_open in a secure manner. Such programs must have the first user open the file with O_EXCL|O_CREAT, and notify other users out-of-band of the filename for the shared memory object. Otherwise there is no way of knowing (within the SHM API) whether the object you opened belongs to another malicious user; the possibility that it's a directory is a much lesser danger than the possibility that it's an actual shared memory object owned by another user. So I rather question whether protection against directories matters. -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2013-07-20 19:09 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-07-20 10:55 [Bug libc/15763] New: " corbellini.andrea at gmail dot com 2013-07-20 17:04 ` [Bug libc/15763] " bugdal at aerifal dot cx 2013-07-20 18:45 ` corbellini.andrea at gmail dot com 2013-07-20 19:09 ` bugdal at aerifal dot cx [this message] 2013-07-20 20:40 ` corbellini.andrea at gmail dot com 2013-10-31 13:03 ` neleai at seznam dot cz 2014-06-13 13:21 ` fweimer at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-15763-131-8gU6qFjLKq@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).