From owner-freebsd-arch@FreeBSD.ORG  Thu May 21 09:36:33 2009
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: arch@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 563C6106566B
	for <arch@freebsd.org>; Thu, 21 May 2009 09:36:33 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 2D16B8FC19
	for <arch@freebsd.org>; Thu, 21 May 2009 09:36:33 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41])
	by cyrus.watson.org (Postfix) with ESMTPS id D078846B29;
	Thu, 21 May 2009 05:36:32 -0400 (EDT)
Date: Thu, 21 May 2009 10:36:32 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Garrett Wollman <wollman@bimajority.org>
In-Reply-To: <18952.21468.748665.878710@hergotha.csail.mit.edu>
Message-ID: <alpine.BSF.2.00.0905211033380.25537@fledge.watson.org>
References: <mit.lcs.mail.freebsd-arch/588815840.20090509203115@scriptolutions.com>
	<mit.lcs.mail.freebsd-arch/20090509200724.GA25714@stack.nl>
	<200905100500.n4A50GOa050728@hergotha.csail.mit.edu>
	<7710650619.20090510075706@scriptolutions.com>
	<18950.63671.323324.756287@hergotha.csail.mit.edu>
	<1393224851.20090511112537@scriptolutions.com>
	<18952.21468.748665.878710@hergotha.csail.mit.edu>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: arch@freebsd.org, Lothar Scholz <scholz@scriptolutions.com>
Subject: Re: Posix shared memory problem
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2009 09:36:33 -0000

On Mon, 11 May 2009, Garrett Wollman wrote:

> <<On Mon, 11 May 2009 11:25:37 +0200, Lothar Scholz <scholz@scriptolutions.com> said:
>
>> Some idiots started to think about this as a file path. But it isn't
>> and it shouldn't.
>
> Actually, it really should be.  Ask a security person or a virtualization 
> person to explain why an unnecessary multiplicity of namespaces is a bad 
> idea.

Despite having been partly responsible for the new POSIX shm code in 8.x that 
removes file system namespace use for POSIX shm, I strongly agree with your 
statement.

The hierarchal and access-controlled structure of the file system namespace is 
a key feature that makes it preferable to the plethora of other weird global 
namespaces arriving with various new IPC models.  A hierarchal namespace with 
access control allows reliable delegation of portions of the namespace -- for 
example, administrators can authorize a user to use any name in 
"/home/username" without worrying that users will spoof each others services 
based on application start order, crashes, etc.  The existence of additional 
flat namespaces, such as used by System V IPC, POSIX shm, POSIX sem, etc, is 
quite problematic from this perspective, and significantly increases the risk 
of vulnerability.

Robert N M Watson
Computer Laboratory
University of Cambridge