[Python-ideas] shutil.symlink to allow non-race replacement of existing link targets
Steven D'Aprano
steve at pearwood.info
Tue May 14 12:50:34 EDT 2019
On Tue, May 14, 2019 at 02:43:03PM +0300, Serhiy Storchaka wrote:
> Sorry, but I do not understand what problem do you try to solve. If
> somebody can create a file named link_name between unlink and symlink,
> he can also remove and create a file named link_name after symlink.
I don't think that is always correct, although I don't know if it makes
a difference to your point or to the risk of this (supposed) race
condition.
On posix systems, you should be able to use chattr +i to make the file
immutable, so that the attacker cannot remove or replace it. Normally
only root has the ability to do this, but other users can be granted
that capability. (I'm not sure how easy it is to call chattr from
Python.)
There may also be SELinux controls in place. I don't use SELinux myself
so I don't know what precisely.
On Windows, permissions are quite different and far more fine-grained
than on posix, so I think that there could be scenarios were the
attacker can create link_name between the unlink and symlink (the feared
race condition) but not delete and replace link_name after it is in
place.
I'm not sure how relevant these observations are. But I think you make a
good point that we need to understand precisely the nature of the
problem being solved before we decide how to solve it :-)
--
Steven
More information about the Python-ideas
mailing list