Protect against check-and-open race conditions

There is a small window between running lstat() on a filename and
opening it where it's possible for the file to have been modified.
We were protecting against this by saving the stat data from the
original file and verifying that it was the same file (by device
and inode) when we opened it again, but this is an imperfect
solution, as it is still possible for an attacker to modify the
permissions during this window.

It is much better to simply open the file and test on the active
file descriptor.

Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as
without the initial lstat, we are implicitly accepting symlinks
and only verifying the target file.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/tests/check_and_open-tests.c b/src/tests/check_and_open-tests.c
index 7ec8f3bc..e3d98868 100644
--- a/src/tests/check_and_open-tests.c
+++ b/src/tests/check_and_open-tests.c
@@ -100,11 +100,11 @@ START_TEST(test_symlink)
     ret = symlink(filename, newpath);
     fail_unless(ret == 0, "symlink failed [%d][%s]", ret, strerror(ret));
 
-    ret = check_and_open_readonly(newpath, &fd, uid, gid, mode, CHECK_REG);
+    ret = check_file(newpath, uid, gid, mode, CHECK_REG, NULL);
     unlink(newpath);
+
     fail_unless(ret == EINVAL,
                 "check_and_open_readonly succeeded on symlink");
-    fail_unless(fd == -1, "check_and_open_readonly file descriptor not -1");
 }
 END_TEST