Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 May 2004 08:03:12 -0700
From:      David Schultz <das@FreeBSD.ORG>
To:        Marc Olzheim <marcolz@stack.nl>
Cc:        Tim Robbins <tjr@FreeBSD.ORG>
Subject:   Re: Unified getcwd() implementation
Message-ID:  <20040508150312.GA7381@VARK.homeunix.com>
In-Reply-To: <20040508135954.GA469@stack.nl>
References:  <20040507092235.GA61837@stack.nl> <20040507100119.GA15782@cat.robbins.dropbear.id.au> <20040507235556.GB37035@empiric.dek.spc.org> <20040508010228.GA18935@cat.robbins.dropbear.id.au> <20040508012357.GA37547@empiric.dek.spc.org> <20040508030258.GA19512@cat.robbins.dropbear.id.au> <20040508044207.GB38736@empiric.dek.spc.org> <20040508070040.GA20138@cat.robbins.dropbear.id.au> <20040508135954.GA469@stack.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 08, 2004, Marc Olzheim wrote:
> On Sat, May 08, 2004 at 05:00:40PM +1000, Tim Robbins wrote:
> > Both the current implementation and the proposed new implementation
> > try to find the pathname use the namecache without authorization
> > checks, then if that fails, go on to read the directories, but this
> > time with authorization checks. What is the difference?
> 
> standards/44425 mentions why the current implementation is not a bug in
> the standards point of view.
> 
> bin/22291, kern/30527, kern/39331 and kern/55993 are about issues we
> have because of the current implementation.

30527 seems to be unrelated...

> What would be gained from this patch is:
> - consistency
> - getcwd() having elevated permission to actually be able to find the
>   real cwd.

The fact that the present implementation is inconsistent is a bug.
Moreover, it's a small bug, with a patch already provided in
standards/44425.  Therefore, this is poor justification for
completely replacing the current implementation.  Recall that in
POSIX, it's perectly legal to refuse to reveal the cwd when an the
user lacks search permission to some ancestor directory.
Moreover, refusing permission may be safer because it respects
users' intent to revoke search permission.

The present implementation is also less complex because it defers
the hard cases to userland.  On the other hand, we need to support
the full-blown kernel version in the Linuxolator anyway, so we
might as well do it once and do it right.  But this doesn't
necessarily mean it's a good idea to bypass restrictions on read
permission.

So in summary, I'm in support of the idea of unifying our getcwd
implementations, modulo some of the details...



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040508150312.GA7381>