From owner-freebsd-security@FreeBSD.ORG  Sun Apr 14 00:52:10 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id D2F4B74
 for <freebsd-security@freebsd.org>; Sun, 14 Apr 2013 00:52:10 +0000 (UTC)
 (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 98C471AC8
 for <freebsd-security@freebsd.org>; Sun, 14 Apr 2013 00:52:10 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id 0D813855B;
 Sun, 14 Apr 2013 00:52:08 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
 id 2DDC89E91; Sun, 14 Apr 2013 02:52:08 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Dirk Engling <erdgeist@erdgeist.org>
Subject: Re: File descriptors
References: <B4285FA7-E3EF-4639-BFC0-9BEA7881A5CB@petur.eu>
 <5169F961.7030407@erdgeist.org>
Date: Sun, 14 Apr 2013 02:52:07 +0200
In-Reply-To: <5169F961.7030407@erdgeist.org> (Dirk Engling's message of "Sun, 
 14 Apr 2013 02:33:37 +0200")
Message-ID: <86obdigci0.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org,
 =?utf-8?Q?P=C3=A9tur?= Ingi Egilsson <petur@petur.eu>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2013 00:52:10 -0000

Dirk Engling <erdgeist@erdgeist.org> writes:
> you may have a wrong understanding of what the difference between a file
> and its names is. The moment you open a file, the system call checks the
> permissions and if you are allowed to read the file, returns another
> name for your file, the fd.

Descriptors aren't names.  Names are just labels; descriptors are live
objects which tie processes to vnode or sockets.

> If you change permissions on the file name in the file system, your file
> descriptor is not affected. The overhead for chasing changes in your
> directory structure (and nothing else is changing permissions) on every
> read() system call would just not be bearable.

It would be quite trivial, actually, but not desirable.  The way it
works now allows privileged processes to pass descriptors to restricted
files to unprivileged processes, or to drop privileges before operating
on them.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no