util: don't open symlink when appending to file

When opening a file for appending (i.e. a log file), use the O_NOFOLLOW
flag to get an error if the path is a symlink. Opening log files through
symlinks is no longer supported.

This is a protection against symlink attacks if chronyd is misconfigured
to write a log in a world-writable directory (e.g. /tmp). That is not
meant to become a recommended practice. Log messages will be lost, or
chronyd won't start, if a symlink exists at the location of the log
file.

diff --git a/util.c b/util.c
index a572a02d4de4ec5041d092da88a13b0e67f8d781..8f22ff9c610438891bcad5911c3b0968bdda8795 100644 (file)
--- a/util.c
+++ b/util.c
@@ -1236,7 +1236,7 @@ UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
       break;
     case 'a':
     case 'A':
-      flags = O_WRONLY | O_CREAT | O_APPEND;
+      flags = O_WRONLY | O_CREAT | O_APPEND | O_NOFOLLOW;
       file_mode = "a";
       break;
     default: