Re: [PATCH] new syscall: flink

Fredrik Tolf (fredrik@dolda2000.cjb.net)
Mon, 7 Apr 2003 22:55:47 +0200


On Monday 07 April 2003 05:39, H. Peter Anvin wrote:
> Followup to:
> <Pine.BSO.4.44.0304062250250.9407-100000@kwalitee.nolab.conman.org> By
> author: Mark Grosberg <mark@nolab.conman.org>
> In newsgroup: linux.dev.kernel
>
> > > > Suppose I give you an O_RDONLY handle to a file which you then
> > > > flink and gain write access too ?
> > >
> > > This, I believe, is the real issue. However, we already have that
> > > problem:
> >
> > As far as I understand it, isn't the protection information stored in the
> > inode? The flink call is just linking an inode into a directory that the
> > caller has write access to. The permissions and ownership of the file
> > shouldn't change.
>
> The problem is when you get passed a file descriptor from another
> process (via exec or file-descriptor passing) and you don't have
> permissions to access the *directory*.

Does that really matter? If the user owning the process has write permission
to the file, it can't possibly hurt security that he gains write access as
well to it using flink, right?
If it would prove to be a security hole anyway, it should be easily remedied
by only allowing the call for the file's owner and root. It would admittedly
make the call less usable, but its main uses still remain, as I see it.

Anyway, while we're on the subject, is it just me who would like to see a
fexec() call?

Fredrik Tolf

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/