Fix race condition in ReadHome#391

Merged

EthanHeilman merged 2 commits into

openpubkey:mainfrom

gcorrall:fix-readhome-race-condition

Oct 31, 2025

Contributor

gcorrall commented Oct 30, 2025

There is a race condition in the ReadHome function. Although O_NOFOLLOW is used when opening the homePolicyPath file, the file is later read using os.ReadFile(homePolicyPath). This reopens the file by path. It is possible that a symlink could be swapped in between the os.OpenFile and the os.ReadFile. This race condition could be avoided by re-using the original file handle (by using io.ReadAll).

gcorrall and others added 2 commits

October 30, 2025 20:42


          Fix race condition in ReadHome

550b7ea

Re-use the original filehandle when reading homePolicyPath to avoid a
'Time-of-check to time-of-use' race condition.

Signed-off-by: gcorrall <4834451+gcorrall@users.noreply.github.com>


          Merge branch 'main' into fix-readhome-race-condition

b27e925

EthanHeilman approved these changes

View reviewed changes

Member

EthanHeilman left a comment •

edited

Loading

@gcorrall Thanks for the fix and really good catch.

I spend all this work trying to avoid a race condition on the read and then ended up using the path rather than the file descriptor.

How did you end up coming across this? Where you automatically scanning repos for this mistake?

EthanHeilman merged commit 618effe into openpubkey:main

15 checks passed

renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request


          chore(deps): update dependency openpubkey/opkssh to v0.11.0

e5d091e

##### [\`v0.11.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.11.0)

##### 🚀 Features

- Add support for custom group claims [@mvanderlee](https://github.com/mvanderlee) ([#133](openpubkey/opkssh#133))
- feat: Flag to print SSH cert and private key rather than FS [@EthanHeilman](https://github.com/EthanHeilman) ([#437](openpubkey/opkssh#437))
- feat: Process extra arguments to the verify command [@justincmoy](https://github.com/justincmoy) ([#436](openpubkey/opkssh#436))
- Add warning message when email claim is missing from ID token @[copilot-swe-agent\[bot\]](https://github.com/apps/copilot-swe-agent) ([#374](openpubkey/opkssh#374))
- \[feat] Add new "inspect" subcommand [@stmcginnis](https://github.com/stmcginnis) ([#349](openpubkey/opkssh#349))
- Add CLI reference documentation [@stmcginnis](https://github.com/stmcginnis) ([#365](openpubkey/opkssh#365))
- Include signature JSON in `inspect` output [@stmcginnis](https://github.com/stmcginnis) ([#358](openpubkey/opkssh#358))
- - docs: Add Amazon Cognito as tested provider [@Foorack](https://github.com/Foorack) ([#414](openpubkey/opkssh#414))
- docs: Add documentation for opkssh and sssd integration [@vigneshmanick](https://github.com/vigneshmanick) ([#409](openpubkey/opkssh#409))
- Added SELinux support for sudo logging [@descensus](https://github.com/descensus) ([#376](openpubkey/opkssh#376))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#368](openpubkey/opkssh#368))

##### 🐛 Bug Fixes

- Fix race condition in ReadHome [@gcorrall](https://github.com/gcorrall) ([#391](openpubkey/opkssh#391))
- \[fix] Use lowercase for positional argument placeholders [@t38miwa](https://github.com/t38miwa) ([#361](openpubkey/opkssh#361))
- fix typo in commands/verify.go [@DevRockstarZ](https://github.com/DevRockstarZ) ([#336](openpubkey/opkssh#336))
- Doc: fix small errors in policy plugin doc [@PotatoesMaster](https://github.com/PotatoesMaster) ([#344](openpubkey/opkssh#344))
- Correct macOS name [@stmcginnis](https://github.com/stmcginnis) ([#341](openpubkey/opkssh#341))

##### 🧰 Maintenance

- chore: document upstream nix usage & remove nix flake [@datosh](https://github.com/datosh) ([#383](openpubkey/opkssh#383))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#438](openpubkey/opkssh#438))
- Stop hash pinning docker images [@EthanHeilman](https://github.com/EthanHeilman) ([#421](openpubkey/opkssh#421))
- \[fix] Fix ssh version integration test [@EthanHeilman](https://github.com/EthanHeilman) ([#362](openpubkey/opkssh#362))
- Fix integration tests failing due to pacman keys [@EthanHeilman](https://github.com/EthanHeilman) ([#432](openpubkey/opkssh#432))
- fix(deps): Update docker/setup-buildx-action action to v3.12.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#426](openpubkey/opkssh#426))
- fix(deps): Update zizmorcore/zizmor-action action to v0.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#413](openpubkey/opkssh#413))
- fix(deps): Update peter-evans/create-pull-request action to v8 @[renovate\[bot\]](https://github.com/apps/renovate) ([#418](openpubkey/opkssh#418))
- fix(deps): Update zizmorcore/zizmor-action action to v0.2.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#335](openpubkey/opkssh#335))
- fix(deps): Update peter-evans/create-pull-request action to v7.0.9 @[renovate\[bot\]](https://github.com/apps/renovate) ([#407](openpubkey/opkssh#407))

sdwilsh pushed a commit to sdwilsh/ansible-playbooks that referenced this pull request


          chore(deps): update dependency openpubkey/opkssh to v0.11.0

a7acc4b

##### [\`v0.11.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.11.0)

##### 🚀 Features

- Add support for custom group claims [@mvanderlee](https://github.com/mvanderlee) ([#133](openpubkey/opkssh#133))
- feat: Flag to print SSH cert and private key rather than FS [@EthanHeilman](https://github.com/EthanHeilman) ([#437](openpubkey/opkssh#437))
- feat: Process extra arguments to the verify command [@justincmoy](https://github.com/justincmoy) ([#436](openpubkey/opkssh#436))
- Add warning message when email claim is missing from ID token @[copilot-swe-agent\[bot\]](https://github.com/apps/copilot-swe-agent) ([#374](openpubkey/opkssh#374))
- \[feat] Add new "inspect" subcommand [@stmcginnis](https://github.com/stmcginnis) ([#349](openpubkey/opkssh#349))
- Add CLI reference documentation [@stmcginnis](https://github.com/stmcginnis) ([#365](openpubkey/opkssh#365))
- Include signature JSON in `inspect` output [@stmcginnis](https://github.com/stmcginnis) ([#358](openpubkey/opkssh#358))
- - docs: Add Amazon Cognito as tested provider [@Foorack](https://github.com/Foorack) ([#414](openpubkey/opkssh#414))
- docs: Add documentation for opkssh and sssd integration [@vigneshmanick](https://github.com/vigneshmanick) ([#409](openpubkey/opkssh#409))
- Added SELinux support for sudo logging [@descensus](https://github.com/descensus) ([#376](openpubkey/opkssh#376))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#368](openpubkey/opkssh#368))

##### 🐛 Bug Fixes

- Fix race condition in ReadHome [@gcorrall](https://github.com/gcorrall) ([#391](openpubkey/opkssh#391))
- \[fix] Use lowercase for positional argument placeholders [@t38miwa](https://github.com/t38miwa) ([#361](openpubkey/opkssh#361))
- fix typo in commands/verify.go [@DevRockstarZ](https://github.com/DevRockstarZ) ([#336](openpubkey/opkssh#336))
- Doc: fix small errors in policy plugin doc [@PotatoesMaster](https://github.com/PotatoesMaster) ([#344](openpubkey/opkssh#344))
- Correct macOS name [@stmcginnis](https://github.com/stmcginnis) ([#341](openpubkey/opkssh#341))

##### 🧰 Maintenance

- chore: document upstream nix usage & remove nix flake [@datosh](https://github.com/datosh) ([#383](openpubkey/opkssh#383))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#438](openpubkey/opkssh#438))
- Stop hash pinning docker images [@EthanHeilman](https://github.com/EthanHeilman) ([#421](openpubkey/opkssh#421))
- \[fix] Fix ssh version integration test [@EthanHeilman](https://github.com/EthanHeilman) ([#362](openpubkey/opkssh#362))
- Fix integration tests failing due to pacman keys [@EthanHeilman](https://github.com/EthanHeilman) ([#432](openpubkey/opkssh#432))
- fix(deps): Update docker/setup-buildx-action action to v3.12.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#426](openpubkey/opkssh#426))
- fix(deps): Update zizmorcore/zizmor-action action to v0.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#413](openpubkey/opkssh#413))
- fix(deps): Update peter-evans/create-pull-request action to v8 @[renovate\[bot\]](https://github.com/apps/renovate) ([#418](openpubkey/opkssh#418))
- fix(deps): Update zizmorcore/zizmor-action action to v0.2.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#335](openpubkey/opkssh#335))
- fix(deps): Update peter-evans/create-pull-request action to v7.0.9 @[renovate\[bot\]](https://github.com/apps/renovate) ([#407](openpubkey/opkssh#407))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet