You could do fchmod directly on some platforms, but if I understand correctly, that's broken almost everywhere. This might be nonsense, but I was wondering if something highly complicated could work, which ensured that no other user has permission to access the directory handle itself, ensuring that no other user can replace the file in between.
# get a handle to a directory that no other user can access: d = mkdtemp(0600) d_ = opendir(d) assert(owner(d_) == getpid() && group(d_) == 0 && mode(d_) == 0600) rmdir(d) # put our file in that directory, do our non-atomic operations, then put it back: renameat(FD_ATCDW, f, d_, f) assert(!islink(stat(f))) chmod(f, 0777) renameat(d_, f, FD_ATCDW, f) I feel a bit like I'm reinventing transactional file systems here, since there's probably other atomic ops that could be used to expand this somewhat further (for example, by making hard links inside the directory, then replacing the original with those). Anyhow, I'm not a security expert either, so this is all rather crazy and hypothetical anyways. -Jameson On Fri, Nov 9, 2018 at 3:34 AM Jan Staněk <[email protected]> wrote: > Thanks for the explanation! With that, I can agree that the lchmod might > be an option here. Any suggestions for platforms that do not have that? > `fchmodat` might be an option here, but unfortunately the > `AT_SYMLINK_NOFOLLOW` is not implemented at least on Linux (according to > the man page). > -- > Jan Staněk > Associate Software Engineer, Core Services > Red Hat Czech > [email protected] IM: jstanek > > -- > You received this message because you are subscribed to the Google Groups > "libuv" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/libuv. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "libuv" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/libuv. For more options, visit https://groups.google.com/d/optout.
