From: utzoo!decvax!duke!unc!mcnc!idis!mi-cec!dvk Newsgroups: net.bugs.v7 Title: Bug in link() Article-I.D.: mi-cec.133 Posted: Tue Aug 10 14:58:42 1982 Received: Sat Aug 14 04:13:11 1982 Here's a fun one for all you folks in hack-land... We have a program that tries to rename directories. (For those who care, it is the "mv" program, but it could be anything). This program does the standard "link to a new name, unlink the old name" to rename. Now if we run this as root, all is fine, since *only* root can link to a directory. If we run it as a regular user, the program fails. Now, just failing would not be such a big deal, but, to our dismay, our directories got trashed. Why? Because the link count got decremented each time someone tried to rename "foo", until "foo" just disappeared! Rather than simply make our program mode 4755, owned by root, we figured it would be more reasonable to fix an obvious OS bug. In sys2/link(), there is code that reads as follows: ========================================================================== link() {ip = namei(uchar, 0); if (ip == NULL) return; if ((ip->i_mode & IFMT)==IFDIR && !suser()) goto out; ip->i_nlink++; ip->i_flag |= ICHG; out: if (u.u_error) { ip->i_nlink--; ip->i_flag |= ICHG; } iput(ip); } ========================================================================== The problem is that if "namei" detects an error, but does not return NULL, then the link count, which was unincremented, is decremented anyway. We don't know why "namei" sets u.u_error, but apparently it does. The simple fix is to not decrement the link count, but instead branch directly to the call to iput. Setting u.u_error to EPERM is a flourish we couldn't resist. ========================================================================== link() { ip = namei(uchar, 0); if (ip == NULL) return; if ((ip->i_mode & IFMT)==IFDIR && !suser()) { u.u_error = EPERM; goto out1; /* Note new label name! */ } out: if (u.u_error) { ip->i_nlink--; ip->i_flag |= ICHG; } out1: iput(ip); } ========================================================================== Happy hacking! Daniel Klein and Tron McConnell, Mellon Institute, Pittsburgh