From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 11 Jan 2026 14:23:26 +0000 (+0100)
Subject: lib/commonio.c: Drop lrename
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b43089bcf15978a21b9e858fc61a5fce33a2daa6;p=thirdparty%2Fshadow.git

lib/commonio.c: Drop lrename

The lrename function follows symlinks when renaming files. Since the
source is a temporary file and the target is the database file itself,
which is opened with O_NOFOLLOW, this function is only useful for an
attacker who manages to win some form of race.

Fixes: 0fa908302660 (2007-10-07; "[svn-upgrade] Integrating new upstream version, shadow (4.0.16)")
Fixes: 391a3847157c (2010-03-04; "2010-01-30  Paweł Hajdan, Jr.  <phajdan.jr@gentoo.org>")
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/lib/commonio.c b/lib/commonio.c
index 4131a2e09..28dc7324c 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -45,7 +45,6 @@
 
 
 /* local function prototypes */
-static int lrename (const char *, const char *);
 static int check_link_count (const char *file, bool log);
 static int do_lock_file (const char *file, const char *lock, bool log);
 static /*@null@*/ /*@dependent@*/FILE *fmkstemp_set_perms (
@@ -69,32 +68,6 @@ static /*@dependent@*/ /*@null@*/struct commonio_entry *next_entry_by_name (
 static int lock_count = 0;
 static bool nscd_need_reload = false;
 
-/*
- * Simple rename(P) alternative that attempts to rename to symlink
- * target.
- */
-int lrename (const char *old, const char *new)
-{
-	int res;
-	char *r = NULL;
-	struct stat sb;
-
-	if (lstat (new, &sb) == 0 && S_ISLNK (sb.st_mode)) {
-		r = realpath (new, NULL);
-		if (NULL == r) {
-			perror ("realpath in lrename()");
-		} else {
-			new = r;
-		}
-	}
-
-	res = rename (old, new);
-
-	free (r);
-
-	return res;
-}
-
 static int check_link_count (const char *file, bool log)
 {
 	struct stat sb;
@@ -311,7 +284,7 @@ static int create_backup (const char *name, FILE * fp)
 	}
 
 	stprintf_a(target, "%s-", name);
-	if (lrename(tmpf, target) != 0) {
+	if (rename(tmpf, target) != 0) {
 		unlink(tmpf);
 		return -1;
 	}
@@ -975,7 +948,7 @@ commonio_close(struct commonio_db *db, MAYBE_UNUSED bool process_selinux)
 		goto fail;
 	}
 
-	if (lrename(tmpf, db->filename) != 0) {
+	if (rename(tmpf, db->filename) != 0) {
 		goto fail;
 	}