[Re-adding bug-gnulib in CC]
Paul Eggert wrote:
> > - similar vulnerability does exist in the old code, too
> ...
> But really, isn't it *odd* that there's no way to copy a file securely
> with ACLs (either with xattr or without)? What's up with that? Didn't
> ACL/xattr designers think about copying files?
There is a way to do it securely; _we_ just haven't thought about how to
do it securely so far.
When I added the 'copy-file' module in 2003, it did not handle ACLs.
Then, when I added ACL support to it in 2006, I left open a security
hole (namely when the destination file already exists and has an
ALLOWing ACL set): we don't specify O_EXCL here, nor do we delete the
ACL first.
And there's a second case, namely the uses of copy_acl from GNU coreutils...
I think, to handle this in full generality, we need to decompose an ACL
into an ALLOWing ACL and a DENYing ACL. Then, when writing to a file
that already exists and potentially has an ACL, we need to proceed in
these phases:
1. remove the ALLOWing part of the old ACL,
2. add the DENYing part of the new ACL,
3. copy the data,
4. remove the DENYing part of the old ACL (as far as not also contained
in the new ACL),
5. add the ALLOWing part of the new ACL.
Something like that, no?
Bruno
