We should avoid traversing symlinks.
In multiuser scenarios, a root user might be unpacking something in a user-writable directory. During unpacking, the user might create a symlink in the place of unpacking, causing an arbitrary file to be overwritten, leading to privilege escalation.
- We should use
O_NOFOLLOW.
- We should use dirfds and only go component-by-component and never multiple in one system call.
We probably should switch to cap-std, because Rust doesn't have dirfds ATM on stable.
We should avoid traversing symlinks.
In multiuser scenarios, a root user might be unpacking something in a user-writable directory. During unpacking, the user might create a symlink in the place of unpacking, causing an arbitrary file to be overwritten, leading to privilege escalation.
O_NOFOLLOW.We probably should switch to cap-std, because Rust doesn't have dirfds ATM on stable.