Index | Thread | Search

From:
"Theo de Raadt" <deraadt@openbsd.org>
Subject:
Re: openat(2) is mostly useless, sadly
To:
"H. Hartzer" <h@hartzer.sh>
Cc:
tech@openbsd.org
Date:
Fri, 30 May 2025 12:24:46 -0600

Download raw body.

Thread 
> > RCS file: /cvs/src/sys/sys/fcntl.h,v
> > diff -u -p -u -r1.22 fcntl.h
> > --- sys/sys/fcntl.h	21 Jan 2019 18:09:21 -0000	1.22
> > +++ sys/sys/fcntl.h	24 May 2025 00:33:56 -0000
> > @@ -84,6 +84,7 @@
> >  #define	O_ASYNC		0x0040		/* signal pgrp when data ready */
> >  #define	O_FSYNC		0x0080		/* backwards compatibility */
> >  #define	O_NOFOLLOW	0x0100		/* if path is a symlink, don't follow */
> > +#define	O_BELOW		0x40000		/* openat(2) cannot open above */
> 
> I wanted to point out that the language can be confusing of "above",
> "below", etc. Now it may be that this is named as appropriately as it
> can be, but while I was reading my instinct was that "below" meant a
> child directory, rather than a parent. I think there may be some
> confusion over the semantics.

There is no real confusion here.

There are 3 places you go reach with an *at() call.

      below
      "." (meaning the directory itself)
      above
      
The middle case is doable possible by doing

    dotfd = openat(dirfd, ".", O_DIRECTORY)

But this is very obscure.  It is a not a dup(), either.  It's something
different.  But noone will do this.

O_BELOW allows the opening of ".", and other things below.  In truth what
it doesn't allow is "above".

I've not found a way to say this, without using O_NOTABOVE which is a
name I'm not going to use because the world ain't needing no more double
negatives.

> O_BELOW also sounds somewhat like it allows below, but not only below.
> Maybe O_ONLYBELOW? 

No.

Does O_CREAT do more than creat?  Damn those stupid old Unix farts
why didn't they call it O_ONLYCREAT to make this more clear...

> Another possibility might be something like O_CHROOT,
> which is a familiar and similar term, though might add other confusion.

Inside a chroot, '/' refers to the base of the chroot.

O_BELOW is NOT chroot, because it does not allow absolute paths at all.

It is not the same.  I explained this, but you didn't read.

> I think that ascend/descend might be somewhat more intuitive terms.
> Perhaps O_DESCEND, or O_ONLYDESCEND.

No, because that solves nothing.  I think you are going out of your
way to confuse yourself, and I'm not going to get dragged into it.