mirror of https://github.com/mkerrisk/man-pages
link.2, open.2: Update AT_EMPTY_PATH and O_PATH documentation
The current text reflects the general worry in the kernel about recipients of O_PATH fds being able to hardlink the referenced files. It turns out that it was possible to link these files regardless of any possible security concerns. Linux 3.11 removes the capability check in AT_EMPTY_PATH. I expect that this functionality will be generally useful, so let's document it better. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Andy Lutomirski
Michael Kerrisk
parent
dff25141a5
commit
7dee406bc4
29
man2/link.2
29
man2/link.2
|
|
@ -135,16 +135,18 @@ is an empty string, create a link to the file referenced by
|
|||
flag).
|
||||
In this case,
|
||||
.I olddirfd
|
||||
must refer to a file other than a directory.
|
||||
The caller must have the
|
||||
can refer to any type of file, not just a directory. This will
|
||||
generally not work if the file has a link count of zero (files
|
||||
created with
|
||||
.BR O_TMPFILE
|
||||
and without
|
||||
.BR O_EXCL
|
||||
are an exception).
|
||||
Prior to Linux 3.11,
|
||||
.\" commit bb2314b47996491bbc5add73633905c3120b6268
|
||||
the caller must have the
|
||||
.BR CAP_DAC_READ_SEARCH
|
||||
capability in order to use this flag;
|
||||
this prevents arbitrary users from creating hard links
|
||||
using file descriptors received via a UNIX domain socket
|
||||
(see the discussion of
|
||||
.BR SCM_RIGHTS
|
||||
in
|
||||
.BR unix (7)).
|
||||
capability in order to use this flag.
|
||||
This flag is Linux-specific; define
|
||||
.B _GNU_SOURCE
|
||||
.\" Before glibc 2.16, defining _ATFILE_SOURCE sufficed
|
||||
|
|
@ -164,6 +166,15 @@ can be specified in
|
|||
to cause
|
||||
.I oldpath
|
||||
to be dereferenced if it is a symbolic link.
|
||||
If procfs is mounted,
|
||||
this can be used as an alternative to AT_EMPTY_PATH, even by
|
||||
unprivileged processes on Linux versions before 3.11, like this:
|
||||
.RS
|
||||
.PP
|
||||
.EX
|
||||
linkat(AT_FDCWD, "/proc/self/fd/<fd>", newdirfd, newname, AT_SYMLINK_FOLLOW);
|
||||
.EE
|
||||
.RE
|
||||
.PP
|
||||
Before kernel 2.6.18, the
|
||||
.I flags
|
||||
|
|
|
|||
|
|
@ -564,6 +564,13 @@ Passing the file descriptor as the
|
|||
argument of
|
||||
.BR openat (2)
|
||||
and the other "*at()" system calls.
|
||||
This includes
|
||||
.BR linkat (2)
|
||||
with
|
||||
.BR AT_EMPTY_PATH
|
||||
(or via procfs using
|
||||
.BR AT_SYMLINK_FOLLOW )
|
||||
even if the file is not a directory.
|
||||
.IP *
|
||||
Passing the file descriptor to another process via a UNIX domain socket
|
||||
(see
|
||||
|
|
|
|||
Loading…
Reference in New Issue