Hi! > >> It looks to me like it has been this way for better than a decade > >> without problems so there is no point in changing it now. > > > > Unix compatibility? > > Thinking about this proc fundamentally gives you the ability to create > (via open) a new file descriptor for a file you already have open. Yes. Problem is that by using /proc, I can work-around open(READONLY) restriction and work-around open(APPEND_ONLY) restriction. > I do see a security issue in your example, but the security issue I > see is how you have chosen to use the linux facilities, that have been > there for ages. Facilities cloned from plan 9 and apparently > available in slightly different forms on many unix variants existence. > /dev/fd/N is not a linuxism. > > To close this whole would require some sort of stacking inode that > when opened opened the real fs inode. With all kinds of convolutions > and complications. Just to close the issue that some idiot might > give someone a fd to a world writeable file that they don't want > them to open. Ok, so you agree issue is there. Good. Now, fix for READONLY issue should be fairly simple: follow link in /proc/*/fd/* should check the link permissions, and return read-only/write-only descriptors as neccessary. Basically, that follow link should behave as dup(), not as open(). > I certainly am not interested in debugging or maintaining the stacking > inode code that would be necessary to close this theoretical corner > case. There are much more real bugs that need attention. But if we can get trivial 10-liner, that should be acceptable, right? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
