Re: Safeguards against incorrect fd flags for fsync()

On 11/24/19 6:28 PM, Michael Paquier wrote:
> On Thu, Nov 07, 2019 at 01:57:57PM -0800, Mark Dilger wrote:
>> The code and comments don't clearly indicate what you have said in the
>> email, that you are verifying directories are opened read-only and files are
>> opened either read-write or write-only.  I'd recommend changing the comments
>> a bit to make that clearer.
> 
> Thanks for the suggestions, sounds fine to me.
> 
>> I would also rearrange the code a little, as it is slightly clearer to read:
>>
>>     if (x)
>>         /* directory stuff */
>>     else
>>         /* file stuff */
>>
>> than as you have it:
>>
>>     if (!x)
>>         /* file stuff */
>>     else
>>         /* directory stuff */
> 
> The check order in the former patch is consistent with what's done at
> the top of fsync_fname_ext(), still I can see your point.  So let's do
> as you suggest.
> 
>> I'm a little uncertain about ignoring fstat errors as you do, but left that
>> part of the logic alone.  I understand that any fstat error will likely be
>> immediately followed by another error when the fsync is attempted, but
>> relying on that seems vaguely similar to the security vulnerability of
>> checking permissions and then opening a file as two separate operations.
>> Not sure the analogy actually holds for fstat before fsync, though.
> 
> The only possible error which could be expected here would be a ENOENT
> so we could filter after that, but fsync() would most likely complain
> about that so it sounds better to let it do its work with its own
> logging, which would be more helpful for the user, if of course we
> have fsync=on in postgresql.conf.
> 
>> Attached is a revised version of the patch.  Perhaps you can check what I've
>> done and tell me if I've broken it.
> 
> Thanks for the review.  I was wondering why I did not do that as well
> for file_utils.c, just to find out that fsync_fname() is the only
> entry point in file_utils.c.  Anyway, the patch had a problem
> regarding fcntl() which is not available on Windows (see for example
> pg_set_noblock in noblock.c).  Performing the sanity check will allow
> to catch any problems for all platforms we support, so let's just skip
> it for Windows.  For this reason it is better as well to update errno
> to 0 after the fstat() call.  Who knows...  Attached is an updated
> version, with your changes included.  How does that look?

That looks great, thank you, but I have not tested it yet.  I'll go do
that now....

-- 
Mark Dilger