Subject: Re: Addition to force open to open only regular files
To: None <wrstuden@zembu.com>
From: Wolfgang Solfrank <ws@tools.de>
List: tech-kern
Date: 11/20/2000 20:13:49
Hi, again,

> I'm not. And I think that's how many other developers feel too. Especially
> since these routines weren't documented as needing to be at a specific ID
> level. i.e. we could document ourselves out of the corner with new code,
> but not with older routines.

Hmm, so to get things straight:

You want to introduce a new feature (HOSTALIAS.  And before you ask,
I don't care how long this has been available previously; it isn't
available for setuid programs currently.) into some library routine.
This new feature introduces a security concern.  So you think the
correct solution to this problem is to tweak the OS in some obscure
way in order to make this new feature safe even for some old users
of this library routine, since they might call the library routine
in a way that makes its now introduced security risk explotiable.

This seems quite backwards to me.

IMHO the correct solution is to document the routines as requiring
a specific ID level, and by default switch off the new feature for
setuid programs.  If you really think that the new feature is worthwhile
(and it seems you do), then allow for new code to enable it via some
flag argument or some external flag settable by a caller of the routine
(either directly or through some other library routine) which tells
the routine that you know what you are doing.

Wouldn't that work better?

Ciao,
Wolfgang
-- 
ws@TooLs.DE     Wolfgang Solfrank, TooLs GmbH 	+49-228-985800