-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PathUtilities misbehavior on linux #45631
Comments
One could perhaps use Directory.CreateDirectory(String, UnixFileMode) within |
Thank you for your thoughtful issue. In reference to https://github.com/dotnet/sdk/pull/45633/files#diff-2c7fe79f19abb90af52e305c3b339ac410b00889d4a4acd5aae1689898cf7ace: mkdir returns the status code We need to be 100% certain that, the directory did not exist before hand and has no possibility of existing beforehand. That's not refutable. If we use an if statement to check if the directory exists, that is not good enough, it could be created between the two lines of code run. I understand wanting to have linux and windows behavior be the same. But my question is, why would you want TMPDIR to be a dir that DNE? I'm not certain on the idea that its wrong for the SDK to fail on one OS if the OS standard environment variable is set to be something 'bad'. |
mkdir and CreateDirectory difference is clear from the docs, but why does it matter isn't
why is it not the case on windows? if something sneaky is racing with |
I can hear that but it is 100% not the case today on windows so you can reverse my proposal and say windows must be fixed.
There are cases you can not write in I'm fine keeping mkdir but it should be able to try to create the parents, in particular in the case of a custom |
chmod after mkdir has the risk that another user might be able to access the directory between those calls and maliciously create files or symlinks in it. Even if Guid.NewGuid().ToString() is not predictable, such an attack could succeed if the .NET SDK process is somehow slowed down so that the other user has time to read the directory name. This risk does not apply to Windows, where each user has a separate TEMP directory. |
So if on linux the |
Do you run .NET SDK in such a minimal container?
I suppose it could be changed to do |
Not that minimal but locked (securityContext) so it behaves almost the same (
Sounds good to me. |
tmp on linux is world writeable, tmp on windows is user secured permissions. |
I think I'm ok with that. I will probably have to run this through some security reviews though to check it in (which sorry @kasperk81, this was part of the delay on the HOME pr.) |
FTR
this is an assumption which is not always true (even without containers) so apps/libs can't assume it even if it is most of the time |
new implementation in #45633 will create the directory with permissions (atomically) and retry until it succeeded. the "exists" behavior is same as windows, which is not the concern if i understood it correctly? with NewGuid, it's hard to fathom there can ever be a conflict. |
@MiYanni This is already triaged so no need to worry about it, I just need to re-review the PR again (though that's like the 7th thing on my list atm) |
Hi,
https://github.com/dotnet/sdk/blob/main/src/Common/PathUtilities.cs#L24 uses
mkdir
on linux andDirectory.CreateDirectory
on windows.This leads to a behavior difference where some directory can not be created if
TMPDIR
is a path which doesn't exist on linux (it fails) and it passes on windows.I propose to drop the linux specificity and keep using the Directory API + chmod after directory creation if 0700 perms are desired.
The text was updated successfully, but these errors were encountered: