著者: Martin D Kealey 日付: To: Exim-dev 題目: [exim-dev] dsearch erroneously requires directory "read" permission
As a matter of good security hygiene, I try to arrange file and directory
ownership and permissions to the minimum required. In particular, I only
enable "x" permission on directories that contain files that Exim needs to
access.
However dsearch breaks this.
Even though lstat alone would work (proving the existence of the parent
directory, the ability to traverse it, and the existence of the target
filename), dsearch_open calls exim_opendir, and then immediately closes it,
and then fails because the directory lacks 'r' permission. Natch!
The comment above dsearch_open says "We open the directory to test whether
it exists and whether it is searchable", but that's not actually true,
because "readable" and "searchable" are two different things.
Is there any reason why dsearch_open shouldn't simply be an empty function
that always succeeds?
Alternatively, it could actually make use of the open fd, on systems that
support fstatat() and open with O_PATH.