From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 18497 invoked by alias); 20 Jul 2013 19:09:41 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 16236 invoked by uid 48); 20 Jul 2013 19:07:38 -0000 From: "bugdal at aerifal dot cx" To: glibc-bugs@sourceware.org Subject: [Bug libc/15763] shm_open/unlink let you write outside SHMDIR Date: Sat, 20 Jul 2013 19:09:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.18 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bugdal at aerifal dot cx X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-07/txt/msg00128.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=15763 --- Comment #3 from Rich Felker --- EISDIR does not really make sense because, from the API standpoint of POSIX SHM, "directories" do not exist in this namespace. Of course a malicious program can create directories under /dev/shm, though, leading to an error condition that programs must be able to deal with. I'm not sure what the best error code would be. How would you propose checking for directories? The obvious robust approach is fstat, but that does increase the cost of each shm_open operation moderately. If you just want to reject invalid names, "." and ".." would be the only two that need consideration. But if you want to protect applications from maliciously-created directories, the fstat approach might be needed. By the way, I'm fairly sure that such directories are not relevant to programs that use shm_open in a secure manner. Such programs must have the first user open the file with O_EXCL|O_CREAT, and notify other users out-of-band of the filename for the shared memory object. Otherwise there is no way of knowing (within the SHM API) whether the object you opened belongs to another malicious user; the possibility that it's a directory is a much lesser danger than the possibility that it's an actual shared memory object owned by another user. So I rather question whether protection against directories matters. -- You are receiving this mail because: You are on the CC list for the bug.