From owner-cvs-all  Mon Nov 27 21:27: 0 2000
Delivered-To: cvs-all@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id D72D537B4F9; Mon, 27 Nov 2000 21:26:54 -0800 (PST)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.11.0/8.11.0) with ESMTP id eAS5QrQ59012;
	Mon, 27 Nov 2000 22:26:53 -0700 (MST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA07436; Mon, 27 Nov 2000 22:26:51 -0700 (MST)
Message-Id: <200011280526.WAA07436@harmony.village.org>
To: "Brian F. Feldman" <green@FreeBSD.org>
Subject: Re: cvs commit: src/usr.sbin/inetd builtins.c 
Cc: Peter Wemm <peter@netplex.com.au>,
	Alfred Perlstein <bright@wintelcom.net>, obrien@FreeBSD.org,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
In-reply-to: Your message of "Sun, 26 Nov 2000 23:05:15 EST."
		<200011270405.eAR45H578642@green.dyndns.org> 
References: <200011270405.eAR45H578642@green.dyndns.org>  
Date: Mon, 27 Nov 2000 22:26:51 -0700
From: Warner Losh <imp@village.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <200011270405.eAR45H578642@green.dyndns.org> "Brian F. Feldman" writes:
: There aren't many good solutions, but luckily this doesn't really seem to be 
: a problem.  An open with O_NOFOLLOW prevents hapless symlink problems, but 
: since it doesn't prevent hapless file-type problems...  I'd like it if there 
: was something like this:
: 
: 	* lstat() is used to verify permissions, in conjunction with 
: 	  getgroups()/initgroups() and seteuid().
: 	* the stat structure can be verified to be okay.  Normally, the next 
: 	  step would be to open the file and fstat() and check if it's the 
: 	  same -- but that is only alright for some things.  What if you 
: 	  don't want to have called open() at all?
: 	* the program calls int stathash(struct stat *sb) which returns a
: 	  reasonably-secure hash of the "telling" contents of the structure.
: 	* the program then calls
: 	  open(name, O_RDONLY | O_NONBLOCK | O_STATHASH, hash).
: 	* open(2) recognizes the overloading (O_STATHASH being mutex with
: 	  O_CREAT) and, after locking the vnode, VOP_STAT()s and checks the
: 	  hashes of the stats and returns an error if they do not match.

I think that STATHASH is really bad idea.

The best solution is to run with the right creditials, and then it
just doesn't matter if some hapless user tries to race you.  Win or
lose the race, the kernel won't open a file that the user doesn't have
permission to open.

Cf, a really long discussion on this wrt HOSTALIASES in the NetBSD
lists.

Warner



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message