From 79b348f07519094d508544ed447c2fd252be1f99 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 25 Aug 2020 09:39:59 +0200
Subject: [PATCH] util: don't open symlink when appending to file

When opening a file for appending (i.e. a log file), use the O_NOFOLLOW
flag to get an error if the path is a symlink. Opening log files through
symlinks is no longer supported.

This is a protection against symlink attacks if chronyd is misconfigured
to write a log in a world-writable directory (e.g. /tmp). That is not
meant to become a recommended practice. Log messages will be lost, or
chronyd won't start, if a symlink exists at the location of the log
file.
---
 util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util.c b/util.c
index a572a02..8f22ff9 100644
--- a/util.c
+++ b/util.c
@@ -1236,7 +1236,7 @@ UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
       break;
     case 'a':
     case 'A':
-      flags = O_WRONLY | O_CREAT | O_APPEND;
+      flags = O_WRONLY | O_CREAT | O_APPEND | O_NOFOLLOW;
       file_mode = "a";
       break;
     default: