From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 31 11:20:17 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD7E916A4CE for ; Fri, 31 Oct 2003 11:20:17 -0800 (PST) Received: from mta7.adelphia.net (mta7.adelphia.net [68.168.78.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1044C43FBD for ; Fri, 31 Oct 2003 11:20:17 -0800 (PST) (envelope-from andi_payn@speedymail.org) Received: from [10.1.0.9] ([68.65.235.109]) by mta7.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031031192019.CAPH29257.mta7.adelphia.net@[10.1.0.9]>; Fri, 31 Oct 2003 14:20:19 -0500 From: andi payn To: David Malone In-Reply-To: <20031031162757.GA56981@walton.maths.tcd.ie> References: <1067528798.36829.2128.camel@verdammt.falcotronic.net> <20031031162757.GA56981@walton.maths.tcd.ie> Content-Type: text/plain Message-Id: <1067628015.825.64.camel@verdammt.falcotronic.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 31 Oct 2003 11:20:15 -0800 Content-Transfer-Encoding: 7bit cc: freebsd-hackers@freebsd.org Subject: Re: O_NOACCESS? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2003 19:20:18 -0000 On Fri, 2003-10-31 at 08:27, David Malone wrote: > On Thu, Oct 30, 2003 at 07:46:38AM -0800, andi payn wrote: > > In FreeBSD, this doesn't work; you just get EINVAL. > > I believe this is because of a security problem discovered a few > years ago, where you could open a file like /dev/io for neither > read nor write but still get the special privelages associated with > having the file open. > > If you were to allow people to open files without read or write > permission you'd need to fix problems like this in a different way. It seems to me that the right way to fix this is to ensure that only the superuser can open /dev/io device, no matter what permissions are on it. And the manpage says that this restriction is there. Of course it would be a good idea to check the code and make sure this really is true before (re-?)enabling O_NOACCESS. Are there any other special devices like this in FreeBSD?