Re: Directory/File Access Permissions for COPY and Generic File Access Functions

I wrote:
> ... and we've only spent
> about five minutes actually looking for security issues, with no good
> reason to assume there are no more.

Oh, here's another one: what I read in RHEL6's open(2) man page is

O_NOFOLLOW
If pathname is a symbolic link, then the open fails. This is a
FreeBSD extension, which was added to Linux in version 2.1.126.
Symbolic links in earlier components of the pathname will still
be followed.

So heaven help you if you grant user joe access in directory
/home/joe/copydata, or any other directory whose parent is writable by
him. He can just remove the directory and replace it with a symlink to
whatever directory contains files he'd like the server to read/write for
him.

Again, we could no doubt install defenses against that sort of case,
once we realize it's a threat. Maybe they'd even be bulletproof defenses
(not too sure how you'd prevent race conditions though). But whether they
are or not, we just took the usability of the feature down another notch,
because certainly that sort of directory arrangement would have been
convenient for joe ... as long as he was trustworthy.

In any case, my larger point is that I foresee a very very long line
of gotchas of this sort, and I do not think that the proposed feature
is worth it.

regards, tom lane