From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-79523-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 8D9E0139085
	for <garchives@archives.gentoo.org>; Fri,  3 Feb 2017 14:52:23 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A04D821C088;
	Fri,  3 Feb 2017 14:52:14 +0000 (UTC)
Received: from blaine.gmane.org (unknown [195.159.176.226])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 503F021C07F
	for <gentoo-dev@lists.gentoo.org>; Fri,  3 Feb 2017 14:52:14 +0000 (UTC)
Received: from list by blaine.gmane.org with local (Exim 4.84_2)
	(envelope-from <lnx-gentoo-dev@m.gmane.org>)
	id 1cZfDV-0000E0-Qh
	for gentoo-dev@lists.gentoo.org; Fri, 03 Feb 2017 15:52:01 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-dev@lists.gentoo.org
From: Martin Vaeth <martin@mvath.de>
Subject: [gentoo-dev] Re: Requirements for UID/GID management
Date: Fri, 3 Feb 2017 14:51:53 +0000 (UTC)
Message-ID: <slrno9968g.p7t.martin@lounge.imp.fu-berlin.de>
References: <9558d41c-17c0-4bbd-e2f8-02575c6d0ecd@gentoo.org>
 <CAGfcS_=biacBM0xsy0GX3_X0mOAd3BdgHDXYorSBkmwsoQ9sgQ@mail.gmail.com>
 <ee24eb83-4430-40ff-07d0-577bc188457d@gentoo.org>
 <CAGfcS_=V+xmBU+fFbMQBH39E9-y9CUaZt9Bok80Wg6_jboHcbQ@mail.gmail.com>
 <20170127183752.500f8910@patrickm>
 <CAGfcS_kcXOa+NC5Eh_qGb95uEaaKsarjsK92jOuTpUB=P5sXxg@mail.gmail.com>
 <4a8204d4-929e-6260-957a-dcf8f82f4b24@gentoo.org>
 <c350f01e-0bf8-f7b4-cfa0-ce6a9575e5e2@gmail.com>
 <9bceefb9-f7d2-06a4-2304-d31f627f7656@gentoo.org>
 <3fd11559-004c-11f8-609a-923ebc074539@gmail.com>
 <495556ab-637c-6b21-fac0-52d3bd1e4986@gentoo.org>
 <616a4068-8581-bce6-3359-50b1ff5a817d@gmail.com>
 <8eb6fc27-8504-ad7d-7ad1-7272da662178@gentoo.org>
 <8bfa7182-7a02-7ecb-42d1-37c2d130f586@gmail.com>
 <513d3ceb-9e07-096a-ff5c-2cf8a5c2a6fd@gentoo.org>
 <20170130100557.49b3b77e@patrickm>
 <671d81bc-8432-a903-024f-40e3c19a4f96@gentoo.org>
X-Complaints-To: usenet@blaine.gmane.org
User-Agent: slrn/pre1.0.0-26 (Linux)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Archives-Salt: ea7e1e01-5381-46a1-9dd8-c1eba6044e91
X-Archives-Hash: 60035c6fbb054f8d0ed0edbf332fccff

Michael Orlitzky <mjo@gentoo.org> wrote:
>
> The fact that all permission and ownership information is shared is
> precisely the problem. When you change ownership of the hardlink (which
> you'll never know is a hardlink), you change ownership of /etc/shadow.

Why should this be a problem except for a race between reading
and changing the ownership?
Admittedly, by using "find ... -exec ... +" the time for an exploit
of the race is even increased when a "standard" chown command is used.

However, it is no rocket science to write a race-free chown command
in C: Just open the file and use stat() and fchown() to be sure to
change only files from the "correct" user.

Since this works on the filehandle and not on the filename, I think
that there is no possibility for an exploit when this is used in the
above find loop.