Date: Sun, 14 Apr 2013 02:52:07 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Dirk Engling <erdgeist@erdgeist.org> Cc: freebsd-security@freebsd.org, =?utf-8?Q?P=C3=A9tur?= Ingi Egilsson <petur@petur.eu> Subject: Re: File descriptors Message-ID: <86obdigci0.fsf@ds4.des.no> In-Reply-To: <5169F961.7030407@erdgeist.org> (Dirk Engling's message of "Sun, 14 Apr 2013 02:33:37 %2B0200") References: <B4285FA7-E3EF-4639-BFC0-9BEA7881A5CB@petur.eu> <5169F961.7030407@erdgeist.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dirk Engling <erdgeist@erdgeist.org> writes: > you may have a wrong understanding of what the difference between a file > and its names is. The moment you open a file, the system call checks the > permissions and if you are allowed to read the file, returns another > name for your file, the fd. Descriptors aren't names. Names are just labels; descriptors are live objects which tie processes to vnode or sockets. > If you change permissions on the file name in the file system, your file > descriptor is not affected. The overhead for chasing changes in your > directory structure (and nothing else is changing permissions) on every > read() system call would just not be bearable. It would be quite trivial, actually, but not desirable. The way it works now allows privileged processes to pass descriptors to restricted files to unprivileged processes, or to drop privileges before operating on them. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86obdigci0.fsf>