This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v2] linux: open and openat ignore 'mode' with O_TMPFILE in flags
- From: Eric Rannaud <e at nanocritical dot com>
- To: Rich Felker <dalias at libc dot org>
- Cc: Florian Weimer <fw at deneb dot enyo dot de>, Roland McGrath <roland at hack dot frob dot com>, libc-alpha <libc-alpha at sourceware dot org>, joseph <joseph at codesourcery dot com>
- Date: Mon, 3 Nov 2014 10:10:12 -0800
- Subject: Re: [PATCH v2] linux: open and openat ignore 'mode' with O_TMPFILE in flags
- Authentication-results: sourceware.org; auth=none
- References: <CAH_=xoZcXehKgY6jviDbmUpOxS7Vn_pWm75zzr+mT4dGop5sjQ at mail dot gmail dot com> <9e272d5ae70d7db36329c99785aefa9d32f0964d dot 1414714637 dot git dot e at nanocritical dot com> <CAH_=xoZbC1064T13ZXXdYp8c2mU15QANumefm1XzWCEG-XuDMg at mail dot gmail dot com> <87bnopwq3c dot fsf at mid dot deneb dot enyo dot de> <20141102164415 dot GQ22465 at brightrain dot aerifal dot cx>
On Sun, Nov 2, 2014 at 8:44 AM, Rich Felker <dalias@libc.org> wrote:
> It's unlikely that such a flag will ever be added again, and it really
> should not have happened with O_TMPFILE. O_TMPFILE is fundamentally a
> "create" operation and should have either requried O_CREAT with it, or
> had O_CREAT built into the bits of its definition. This was an
> oversight on the part of the kernel folks when they added it.
For reference, that was actually entirely deliberate (original
discussion at http://thread.gmane.org/gmane.linux.file-systems/76261).
They were looking for a flag combination that would guarantee that
O_TMPFILE would fail on older kernels.
When using O_TMPFILE to implement a secure temporary file facility,
you don't want
fd = open("$TMPDIR", O_TPMFILE, 0600);
to succeed as a regular O_CREAT on an older kernel that doesn't know
about O_TMPFILE, yet finds the O_CREAT bit in flags, and creates a
visible file, when TMPDIR doesn't exist (any manual check beforehand
would necessarily be racy). open() has traditionally never checked for
unknown bits set in flags.
Some have argued (then and since) that this should have been a hint
that open() was the wrong place to add such a facility, and that a
tmpfile() syscall should have been added instead, with its own
separate semantics.