Any code that has a similar sequence of mkdirat and chown is racy. Code like this may exist in a privileged helper that runs with capabilities as the user.
int ret, subdirfd;
ret = mkdirat(dirfd, "dir", 0);
if (ret < 0) {
// ...
}
subdirfd = openat(dirfd, "dir", O_NOFOLLOW|O_PATH, 0);
if (subdirfd < 0) {
// ...
}
ret = fchownat(subdirfd, "", 0, 0, AT_EMPTY_PATH);
if (ret < 0) {
// ...
}Unlike with openat, there is no equivalent of O_TMPFILE which would allow one to create a directory, set all the desired properties and only then "attach it" to the file system for real.
Ideally there would be something that allows to provide both mode and ownership or to make the operation race free in another manner.
Any code that has a similar sequence of
mkdiratandchownis racy. Code like this may exist in a privileged helper that runs with capabilities as the user.Unlike with
openat, there is no equivalent ofO_TMPFILEwhich would allow one to create a directory, set all the desired properties and only then "attach it" to the file system for real.Ideally there would be something that allows to provide both mode and ownership or to make the operation race free in another manner.