diff options
author | Kaz Kylheku <kaz@kylheku.com> | 2015-09-23 06:37:41 -0700 |
---|---|---|
committer | Kaz Kylheku <kaz@kylheku.com> | 2015-09-23 06:37:41 -0700 |
commit | d5ec0bb0b9ec7f5f585d4dca3f16b29b3d43503b (patch) | |
tree | ce8c317b662255f831438ae8f528c0bdb8460cd0 | |
parent | 085ea58e669775b65dfe836e3c9c8ccd4d626480 (diff) | |
download | txr-d5ec0bb0b9ec7f5f585d4dca3f16b29b3d43503b.tar.gz txr-d5ec0bb0b9ec7f5f585d4dca3f16b29b3d43503b.tar.bz2 txr-d5ec0bb0b9ec7f5f585d4dca3f16b29b3d43503b.zip |
doc: note another race in path-private-to-me-p
* txr.1: document a TOCTTOU race condition in
uses of path-private-to-me-p and how to get
around it.
-rw-r--r-- | txr.1 | 14 |
1 files changed, 13 insertions, 1 deletions
@@ -31207,13 +31207,25 @@ member, who is the owner of the file. Otherwise, the file is reported as private. -Note that this interpretation of private is vulnerable to the following +Note that this interpretation of "private" is vulnerable to the following time-of-check to time-of-use race condition with regard to the group check. At the time of the check, the group might be empty or contain only the caller as a member. But by the time the file is subsequently accessed, the group might have been innocently extended by the system administrator to include additional users, who can maliciously modify the file. +Also note that the function is vulnerable to a time-of-check to time-of-use +race if +.meta path +is a string rather than a +.code stat +structure. If the directory which contains the file is writable to others, the +file can pass the check at the time the function is called, but before it is +used, the file can be replaced by another file with different permissions. +To guard against this race, one must open the file, and then use +.code fstat +on the stream. + .coNP Functions @ path-newer and @ path-older .synb .mets (path-newer < left-path << right-path ) |