Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Nov 2000 22:26:51 -0700
From:      Warner Losh <imp@village.org>
To:        "Brian F. Feldman" <green@FreeBSD.org>
Cc:        Peter Wemm <peter@netplex.com.au>, Alfred Perlstein <bright@wintelcom.net>, obrien@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/usr.sbin/inetd builtins.c 
Message-ID:  <200011280526.WAA07436@harmony.village.org>
In-Reply-To: Your message of "Sun, 26 Nov 2000 23:05:15 EST." <200011270405.eAR45H578642@green.dyndns.org> 
References:  <200011270405.eAR45H578642@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <200011270405.eAR45H578642@green.dyndns.org> "Brian F. Feldman" writes:
: There aren't many good solutions, but luckily this doesn't really seem to be 
: a problem.  An open with O_NOFOLLOW prevents hapless symlink problems, but 
: since it doesn't prevent hapless file-type problems...  I'd like it if there 
: was something like this:
: 
: 	* lstat() is used to verify permissions, in conjunction with 
: 	  getgroups()/initgroups() and seteuid().
: 	* the stat structure can be verified to be okay.  Normally, the next 
: 	  step would be to open the file and fstat() and check if it's the 
: 	  same -- but that is only alright for some things.  What if you 
: 	  don't want to have called open() at all?
: 	* the program calls int stathash(struct stat *sb) which returns a
: 	  reasonably-secure hash of the "telling" contents of the structure.
: 	* the program then calls
: 	  open(name, O_RDONLY | O_NONBLOCK | O_STATHASH, hash).
: 	* open(2) recognizes the overloading (O_STATHASH being mutex with
: 	  O_CREAT) and, after locking the vnode, VOP_STAT()s and checks the
: 	  hashes of the stats and returns an error if they do not match.

I think that STATHASH is really bad idea.

The best solution is to run with the right creditials, and then it
just doesn't matter if some hapless user tries to race you.  Win or
lose the race, the kernel won't open a file that the user doesn't have
permission to open.

Cf, a really long discussion on this wrt HOSTALIASES in the NetBSD
lists.

Warner



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011280526.WAA07436>