On Tue, May 14, 2019 at 02:43:03PM +0300, Serhiy Storchaka wrote:
Sorry, but I do not understand what problem do you try to solve. If somebody can create a file named link_name between unlink and symlink, he can also remove and create a file named link_name after symlink.
I don't think that is always correct, although I don't know if it makes a difference to your point or to the risk of this (supposed) race condition. On posix systems, you should be able to use chattr +i to make the file immutable, so that the attacker cannot remove or replace it. Normally only root has the ability to do this, but other users can be granted that capability. (I'm not sure how easy it is to call chattr from Python.) There may also be SELinux controls in place. I don't use SELinux myself so I don't know what precisely. On Windows, permissions are quite different and far more fine-grained than on posix, so I think that there could be scenarios were the attacker can create link_name between the unlink and symlink (the feared race condition) but not delete and replace link_name after it is in place. I'm not sure how relevant these observations are. But I think you make a good point that we need to understand precisely the nature of the problem being solved before we decide how to solve it :-) -- Steven