Open directories with the O_DIRECTORY flag.

millert · millert · commit 7c2c3226bd55 · 2025-10-01T16:10:02.000-06:00
We cannot use O_PATH on Linux in many cases because older kernels
don't support fchdir() or fstat() on an fd opened with O_PATH.
diff --git a/include/sudo_compat.h b/include/sudo_compat.h
@@ -144,6 +144,11 @@
 # endif
 #endif
 
+/* Older systems lack O_DIRECTORY. */
+#ifndef O_DIRECTORY
+# define O_DIRECTORY	0
+#endif
+
 /*
  * BSD defines these in <sys/param.h> but we don't include that anymore.
  */
diff --git a/lib/iolog/iolog_loginfo.c b/lib/iolog/iolog_loginfo.c
@@ -49,7 +49,7 @@ iolog_parse_loginfo(int dfd, const char *iolog_dir)
     debug_decl(iolog_parse_loginfo, SUDO_DEBUG_UTIL);
 
     if (dfd == -1) {
-	if ((tmpfd = open(iolog_dir, O_RDONLY)) == -1) {
+	if ((tmpfd = open(iolog_dir, O_RDONLY|O_DIRECTORY)) == -1) {
 	    sudo_warn("%s", iolog_dir);
 	    goto bad;
 	}
diff --git a/lib/iolog/iolog_mkdirs.c b/lib/iolog/iolog_mkdirs.c
@@ -53,11 +53,11 @@ iolog_mkdirs(const char *path)
     int dfd;
     debug_decl(iolog_mkdirs, SUDO_DEBUG_UTIL);
 
-    dfd = open(path, O_RDONLY|O_NONBLOCK);
+    dfd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY);
     if (dfd == -1 && errno == EACCES) {
 	/* Try again as the I/O log owner (for NFS). */
 	if (iolog_swapids(false)) {
-	    dfd = open(path, O_RDONLY|O_NONBLOCK);
+	    dfd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY);
 	    if (!iolog_swapids(true)) {
 		ok = false;
 		goto done;
diff --git a/lib/iolog/regress/fuzz/fuzz_iolog_timing.c b/lib/iolog/regress/fuzz/fuzz_iolog_timing.c
@@ -86,7 +86,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	return 0;
 
     /* Create a timing file from the supplied data. */
-    dfd = open(logdir, O_RDONLY);
+    dfd = open(logdir, O_RDONLY|O_DIRECTORY);
     if (dfd == -1)
 	goto cleanup;
 
diff --git a/lib/iolog/regress/iolog_filter/check_iolog_filter.c b/lib/iolog/regress/iolog_filter/check_iolog_filter.c
@@ -72,7 +72,7 @@ main(int argc, char *argv[])
 	ntests++;
 
 	/* I/O logs consist of multiple files in a directory. */
-	dfd = open(logdir, O_RDONLY);
+	dfd = open(logdir, O_RDONLY|O_DIRECTORY);
 	if (dfd == -1) {
 	    sudo_warn("%s", logdir);
 	    errors++;
diff --git a/lib/util/fchmodat.c b/lib/util/fchmodat.c
@@ -40,8 +40,8 @@ sudo_fchmodat(int dfd, const char *path, mode_t mode, int flag)
     if (dfd == (int)AT_FDCWD)
 	return chmod(path, mode);
 
-    /* Save cwd */
-    if ((odfd = open(".", O_RDONLY)) == -1)
+    /* Save cwd (cannot use O_PATH on older Linux kernels). */
+    if ((odfd = open(".", O_RDONLY|O_DIRECTORY)) == -1)
 	goto done;
 
     if (fchdir(dfd) == -1)
diff --git a/lib/util/fchownat.c b/lib/util/fchownat.c
@@ -36,8 +36,8 @@ sudo_fchownat(int dfd, const char *path, uid_t uid, gid_t gid, int flags)
 	    return chown(path, uid, gid);
     }
 
-    /* Save cwd */
-    if ((odfd = open(".", O_RDONLY)) == -1)
+    /* Save cwd (cannot use O_PATH on older Linux kernels). */
+    if ((odfd = open(".", O_RDONLY|O_DIRECTORY)) == -1)
 	return -1;
 
     if (fchdir(dfd) == -1) {
diff --git a/lib/util/fstatat.c b/lib/util/fstatat.c
@@ -38,8 +38,8 @@ sudo_fstatat(int dfd, const char * restrict path, struct stat * restrict sb, int
 	    return stat(path, sb);
     }
 
-    /* Save cwd */
-    if ((odfd = open(".", O_RDONLY)) == -1)
+    /* Save cwd (cannot use O_PATH on older Linux kernels). */
+    if ((odfd = open(".", O_RDONLY|O_DIRECTORY)) == -1)
 	goto done;
 
     if (fchdir(dfd) == -1)
diff --git a/lib/util/mkdir_parents.c b/lib/util/mkdir_parents.c
@@ -89,9 +89,9 @@ sudo_open_parent_dir_v1(const char *path, uid_t uid, gid_t gid, mode_t mode,
 	do {
 	    cp++;
 	} while (*cp == '/');
-	parentfd = open("/", O_RDONLY|O_NONBLOCK);
+	parentfd = open("/", O_RDONLY|O_NONBLOCK|O_DIRECTORY);
     } else {
-	parentfd = open(".", O_RDONLY|O_NONBLOCK);
+	parentfd = open(".", O_RDONLY|O_NONBLOCK|O_DIRECTORY);
     }
     if (parentfd == -1) {
 	if (!quiet)
@@ -118,7 +118,7 @@ sudo_open_parent_dir_v1(const char *path, uid_t uid, gid_t gid, mode_t mode,
 	memcpy(name, cp, len);
 	name[len] = '\0';
 reopen:
-	dfd = openat(parentfd, name, O_RDONLY|O_NONBLOCK, 0);
+	dfd = openat(parentfd, name, O_RDONLY|O_NONBLOCK|O_DIRECTORY, 0);
 	if (dfd == -1) {
 	    if (errno != ENOENT) {
 		if (!quiet) {
@@ -128,7 +128,8 @@ sudo_open_parent_dir_v1(const char *path, uid_t uid, gid_t gid, mode_t mode,
 		goto bad;
 	    }
 	    if (mkdirat(parentfd, name, mode) == 0) {
-		dfd = openat(parentfd, name, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0);
+		dfd = openat(parentfd, name,
+		    O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_NOFOLLOW, 0);
 		if (dfd == -1) {
 		    if (!quiet) {
 			sudo_warn(U_("unable to open %.*s"),
diff --git a/lib/util/mkdirat.c b/lib/util/mkdirat.c
@@ -33,8 +33,8 @@ sudo_mkdirat(int dfd, const char *path, mode_t mode)
     if (dfd == (int)AT_FDCWD)
 	return mkdir(path, mode);
 
-    /* Save cwd */
-    if ((odfd = open(".", O_RDONLY)) == -1)
+    /* Save cwd (cannot use O_PATH on older Linux kernels). */
+    if ((odfd = open(".", O_RDONLY|O_DIRECTORY)) == -1)
 	return -1;
 
     if (fchdir(dfd) == -1) {
diff --git a/lib/util/openat.c b/lib/util/openat.c
@@ -32,8 +32,8 @@ sudo_openat(int dfd, const char *path, int flags, mode_t mode)
     if (dfd == AT_FDCWD)
 	return open(path, flags, mode);
 
-    /* Save cwd */
-    if ((odfd = open(".", O_RDONLY)) == -1)
+    /* Save cwd (cannot use O_PATH on older Linux kernels). */
+    if ((odfd = open(".", O_RDONLY|O_DIRECTORY)) == -1)
 	return -1;
 
     if (fchdir(dfd) == -1) {
diff --git a/lib/util/secure_path.c b/lib/util/secure_path.c
@@ -115,13 +115,15 @@ sudo_secure_open(const char *path, unsigned int type, uid_t uid, gid_t gid,
     struct stat *sb, int *error)
 {
     struct stat stat_buf;
-    int fd;
+    int fd, flags = O_RDONLY|O_NONBLOCK;
     debug_decl(sudo_secure_open, SUDO_DEBUG_UTIL);
 
     if (sb == NULL)
 	sb = &stat_buf;
 
-    fd = open(path, O_RDONLY|O_NONBLOCK);
+    if (type == S_IFDIR)
+	flags |= O_DIRECTORY;
+    fd = open(path, flags);
     if (fd == -1 || fstat(fd, sb) != 0) {
 	if (fd != -1)
 	    close(fd);
diff --git a/lib/util/unlinkat.c b/lib/util/unlinkat.c
@@ -32,8 +32,8 @@ sudo_unlinkat(int dfd, const char *path, int flag)
     if (dfd == AT_FDCWD)
 	return unlink(path);
 
-    /* Save cwd */
-    if ((odfd = open(".", O_RDONLY)) == -1)
+    /* Save cwd (cannot use O_PATH on older Linux kernels). */
+    if ((odfd = open(".", O_RDONLY|O_DIRECTORY)) == -1)
 	return -1;
 
     if (fchdir(dfd) == -1) {
diff --git a/logsrvd/iolog_writer.c b/logsrvd/iolog_writer.c
@@ -619,7 +619,7 @@ create_iolog_path(struct connection_closure *closure)
 
     /* We use iolog_dir_fd in calls to openat(2) */
     closure->iolog_dir_fd =
-	iolog_openat(AT_FDCWD, evlog->iolog_path, O_RDONLY);
+	iolog_openat(AT_FDCWD, evlog->iolog_path, O_RDONLY|O_DIRECTORY);
     if (closure->iolog_dir_fd == -1) {
 	sudo_warn("%s", evlog->iolog_path);
 	goto bad;
@@ -830,7 +830,8 @@ iolog_rewrite(const struct timespec *target, struct connection_closure *closure)
 	sudo_warn(U_("unable to mkdir %s"), tmpdir);
 	goto done;
     }
-    if ((tmpdir_fd = iolog_openat(AT_FDCWD, tmpdir, O_RDONLY)) == -1) {
+    tmpdir_fd = iolog_openat(AT_FDCWD, tmpdir, O_RDONLY|O_DIRECTORY);
+    if (tmpdir_fd == -1) {
 	sudo_warn(U_("unable to open %s"), tmpdir);
 	goto done;
     }
diff --git a/logsrvd/logsrvd_local.c b/logsrvd/logsrvd_local.c
@@ -476,8 +476,8 @@ store_restart_local(const RestartMessage *msg, const uint8_t *buf, size_t len,
     }
 
     /* We use iolog_dir_fd in calls to openat(2) */
-    closure->iolog_dir_fd =
-	iolog_openat(AT_FDCWD, closure->evlog->iolog_path, O_RDONLY);
+    closure->iolog_dir_fd = iolog_openat(AT_FDCWD,
+	closure->evlog->iolog_path, O_RDONLY|O_DIRECTORY);
     if (closure->iolog_dir_fd == -1) {
 	sudo_warn("%s", closure->evlog->iolog_path);
 	goto bad;
diff --git a/logsrvd/sendlog.c b/logsrvd/sendlog.c
@@ -1850,7 +1850,7 @@ main(int argc, char *argv[])
     if (argc != 1)
 	usage();
     iolog_dir = argv[0];
-    if ((iolog_dir_fd = open(iolog_dir, O_RDONLY)) == -1) {
+    if ((iolog_dir_fd = open(iolog_dir, O_RDONLY|O_DIRECTORY)) == -1) {
 	sudo_warn("%s", iolog_dir);
 	goto bad;
     }
diff --git a/plugins/sudoers/iolog.c b/plugins/sudoers/iolog.c
@@ -718,7 +718,8 @@ sudoers_io_open_local(struct timespec *start_time)
 	goto done;
     }
 
-    iolog_dir_fd = iolog_openat(AT_FDCWD, evlog->iolog_path, O_RDONLY);
+    iolog_dir_fd =
+	iolog_openat(AT_FDCWD, evlog->iolog_path, O_RDONLY|O_DIRECTORY);
     if (iolog_dir_fd == -1) {
 	log_warning(ctx, SLOG_SEND_MAIL, "%s", evlog->iolog_path);
 	warned = true;
diff --git a/plugins/sudoers/sudoreplay.c b/plugins/sudoers/sudoreplay.c
@@ -342,7 +342,8 @@ main(int argc, char *argv[])
     }
 
     /* Open files for replay, applying replay filter for the -f flag. */
-    if ((iolog_dir_fd = iolog_openat(AT_FDCWD, iolog_dir, O_RDONLY)) == -1)
+    iolog_dir_fd = iolog_openat(AT_FDCWD, iolog_dir, O_RDONLY|O_DIRECTORY);
+    if (iolog_dir_fd == -1)
 	sudo_fatal("%s", iolog_dir);
     for (i = 0; i < IOFD_MAX; i++) {
 	if (!iolog_open(&iolog_files[i], iolog_dir_fd, i, "r")) {
diff --git a/plugins/sudoers/timestamp.c b/plugins/sudoers/timestamp.c
@@ -1028,7 +1028,7 @@ timestamp_remove(const struct sudoers_context *ctx, bool unlink_it)
     }
 #endif
 
-    dfd = open(def_timestampdir, O_RDONLY|O_NONBLOCK);
+    dfd = open(def_timestampdir, O_RDONLY|O_NONBLOCK|O_DIRECTORY);
     if (dfd == -1) {
 	if (errno != ENOENT)
 	    ret = -1;
diff --git a/src/edit_open.c b/src/edit_open.c
@@ -288,8 +288,8 @@ sudo_edit_openat_nofollow(int dfd, char *path, int oflags, mode_t mode)
     struct stat sb;
     debug_decl(sudo_edit_openat_nofollow, SUDO_DEBUG_EDIT);
 
-    /* Save cwd and chdir to dfd */
-    if ((odfd = open(".", O_RDONLY)) == -1)
+    /* Save cwd and chdir to dfd (cannot use O_PATH on older Linux kernels). */
+    if ((odfd = open(".", O_RDONLY|DIRECTORY)) == -1)
 	debug_return_int(-1);
     if (fchdir(dfd) == -1) {
 	close(odfd);
diff --git a/src/sudo_edit.c b/src/sudo_edit.c
@@ -96,7 +96,7 @@ set_tmpdir(const struct sudo_cred *user_cred)
     }
 
     for (i = 0; tdir == NULL && i < nitems(tmpdirs); i++) {
-	if ((dfd = open(tmpdirs[i], O_RDONLY)) != -1) {
+	if ((dfd = open(tmpdirs[i], O_RDONLY|O_DIRECTORY)) != -1) {
 	    if (dir_is_writable(dfd, user_cred, &saved_cred) == true)
 		tdir = tmpdirs[i];
 	    close(dfd);

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ iolog_parse_loginfo(int dfd, const char *iolog_dir)`
`49`	`49`	`debug_decl(iolog_parse_loginfo, SUDO_DEBUG_UTIL);`
`50`	`50`
`51`	`51`	`if (dfd == -1) {`
`52`		`- if ((tmpfd = open(iolog_dir, O_RDONLY)) == -1) {`
	`52`	`+ if ((tmpfd = open(iolog_dir, O_RDONLY\|O_DIRECTORY)) == -1) {`
`53`	`53`	`sudo_warn("%s", iolog_dir);`
`54`	`54`	`goto bad;`
`55`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,8 +36,8 @@ sudo_fchownat(int dfd, const char *path, uid_t uid, gid_t gid, int flags)`
`36`	`36`	`return chown(path, uid, gid);`
`37`	`37`	`}`
`38`	`38`
`39`		`- /* Save cwd */`
`40`		`- if ((odfd = open(".", O_RDONLY)) == -1)`
	`39`	`+ /* Save cwd (cannot use O_PATH on older Linux kernels). */`
	`40`	`+ if ((odfd = open(".", O_RDONLY\|O_DIRECTORY)) == -1)`
`41`	`41`	`return -1;`
`42`	`42`
`43`	`43`	`if (fchdir(dfd) == -1) {`
Original file line number	Diff line number	Diff line change
`@@ -38,8 +38,8 @@ sudo_fstatat(int dfd, const char * restrict path, struct stat * restrict sb, int`
`38`	`38`	`return stat(path, sb);`
`39`	`39`	`}`
`40`	`40`
`41`		`- /* Save cwd */`
`42`		`- if ((odfd = open(".", O_RDONLY)) == -1)`
	`41`	`+ /* Save cwd (cannot use O_PATH on older Linux kernels). */`
	`42`	`+ if ((odfd = open(".", O_RDONLY\|O_DIRECTORY)) == -1)`
`43`	`43`	`goto done;`
`44`	`44`
`45`	`45`	`if (fchdir(dfd) == -1)`