28.04.2024 20:39, stsp пишет:
In short: my impl confines the hassle within the single process. It can be extended, and then the receiver will need to explicitly allow adding such fds to his fd table. But your idea seems to inherently require 2 processes, and there is probably no way for the second process to say "ok, I allow such sub-tree in my fs scope".
There is probably 1 more detail I had to make explicit: if my model is extended to allow SCM_RIGHTS passage by the use of a new flag on a receiver's side, the kernel will be able to check that the receiver currently has the same creds as the sender. Please note that my model is needed for the process that does setuid() to a less-privileged user. He would need to receive the cred fd _before_ such setuid, he would need to use the special flag to receive it, and the kernel will also need to check that he has the same creds anyway, so no escalation can ever happen. Only that sequence of events makes the SCM_RIGHTS passage safe, AFAICT. But if you don't allow SCM_RIGHTS, as my current impl does, then you are sure the process can raise the creds only to his own ones. Now talking about your sub-tree idea, would it be possible to check that the process had initially enough creds to access it w/o inheriting anything? That part looks important to me, i.e. the process must not access anything that he couldn't access before dropping privs. But I am not sure if your idea even includes the priv drop.
