syscallcompat: OpenNofollow: use O_DIRECTORY flag

...when opening intermedia directories to give us an extra layer of safety. From the FreeBSD man page: This flag can be used to prevent applications with elevated privileges from opening files which are even unsafe to open with O_RDONLY, such as device nodes.
2017-12-05 23:31:07 +01:00 · 2017-12-05 23:31:07 +01:00 · 03bf604fc0
commit 03bf604fc0
parent 926cb93b50
2 changed files with 5 additions and 5 deletions
--- a/internal/syscallcompat/open_nofollow.go
+++ b/internal/syscallcompat/open_nofollow.go
@ -22,8 +22,8 @@ func OpenNofollow(baseDir string, relPath string, flags int, mode uint32) (fd in
 		tlog.Warn.Printf("BUG: OpenNofollow called with absolute relPath=%q", relPath)
 		return -1, syscall.EINVAL
 	}
-	// Open the base dir
+	// Open the base dir (following symlinks)
-	dirfd, err := syscall.Open(baseDir, syscall.O_RDONLY, 0)
+	dirfd, err := syscall.Open(baseDir, syscall.O_RDONLY|syscall.O_DIRECTORY, 0)
 	if err != nil {
 		return -1, err
 	}
@ -39,7 +39,7 @@ func OpenNofollow(baseDir string, relPath string, flags int, mode uint32) (fd in
 	// Walk intermediate directories
 	var dirfd2 int
 	for _, name := range dirs {
-		dirfd2, err = Openat(dirfd, name, syscall.O_RDONLY|syscall.O_NOFOLLOW, 0)
+		dirfd2, err = Openat(dirfd, name, syscall.O_RDONLY|syscall.O_NOFOLLOW|syscall.O_DIRECTORY, 0)
 		syscall.Close(dirfd)
 		if err != nil {
 			return -1, err
--- a/internal/syscallcompat/open_nofollow_test.go
+++ b/internal/syscallcompat/open_nofollow_test.go
@ -31,8 +31,8 @@ func TestOpenNofollow(t *testing.T) {
 	if err == nil {
 		t.Fatalf("should have failed")
 	}
-	if err != syscall.ELOOP {
+	if err != syscall.ELOOP && err != syscall.ENOTDIR {
-		t.Errorf("expected ELOOP, got %v", err)
+		t.Errorf("expected ELOOP or ENOTDIR, got %v", err)
 	}
 	// Check to see that the base dir can be opened as well
 	fd, err = OpenNofollow(tmpDir, "", syscall.O_RDONLY, 0)