On Wed, Jul 16, 2008 at 05:18:47PM -0400, Steven M. Bellovin wrote: > On Wed, 16 Jul 2008 13:34:34 -0700 > Jason Thorpe <thorpej%shagadelic.org@localhost> wrote: > > > > > On Jul 16, 2008, at 7:47 AM, Matt Thomas wrote: > > > > > Besides the fhopen(2) previously mentioned, this isn't available > > > because it would break the security used by unix. > > > > > > Other Unix-like platforms (Mac OS X) can do this without breaking > > the Unix security model. We should be able to, too. > > > I'm curious how they do it. Today, I can safely have a mode 666 file > inside a 700 directory. A setuid program can cd to that directory, > surrender privilege, and then operate on the files. The real user > can't get to that directory, and hence can't touch the files -- but if > it could open things by i-node number, it could. (I first saw that > technique used in an old MTA, MMDF, circa 1979.) MacOS's open-by-inode gets the vnode, gets the path, and makes sure the user can access the path. At present, I believe it only tries one path, so you might get odd results w/ hard links. But then again hardlinks + a security environment where you really care about directory access permissions is dodgy. It might work fine, it might not. :-) Take care, Bill
Attachment:
pgp7GgyHxBZDS.pgp
Description: PGP signature