14.05.19 19:50, Steven D'Aprano пише:
On Tue, May 14, 2019 at 02:43:03PM +0300, Serhiy Storchaka wrote:
Sorry, but I do not understand what problem do you try to solve. If somebody can create a file named link_name between unlink and symlink, he can also remove and create a file named link_name after symlink.
I don't think that is always correct, although I don't know if it makes a difference to your point or to the risk of this (supposed) race condition.
On posix systems, you should be able to use chattr +i to make the file immutable, so that the attacker cannot remove or replace it. Normally only root has the ability to do this, but other users can be granted that capability. (I'm not sure how easy it is to call chattr from Python.)
There may also be SELinux controls in place. I don't use SELinux myself so I don't know what precisely.
This looks like two marginal case for including it in the stdlib. Python does not provide API for "chattr +i", so you should use a subprocess for creating an immutable temporary symlink before replacing the target. It would be not easy to test this feature because you need to grant specific capabilities to the Python interpreter. This may be an interesting project on PyPi, but I do not think that we need to include it in the stdlib. Because of little need and because of complex errorprone implementation.