Ideas for changes to Unix filesystem
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Thu Feb 7 23:13:43 AEST 1991
In article <richard.665896876 at fafnir.la.locus.com> richard at locus.com (Richard M. Mathews) writes:
[ foo is mode 700 root, foo/bar is mode 666 root, some setuid program ]
[ opens foo/bar for reading and passes the descriptor to user code ]
> With flink(), the user could create a name for the file, reopen it for
> write, and screw up the whole world.
Nah. flink() would only work if you have the file open for writing. End
of security problems. You say this is a limitation? Well---
(The *right* way to do this is to have an entirely separate bit: O_LINK,
perhaps. The privileged program here would just make sure to leave
O_LINK out of the open. See the O_NONE discussion that crops up now and
then: people have proposed good uses for a few other bits.)
---it did occur to you that under the current system, you'd need either
read or write access to open the descriptor for flink() in the first
place. Didn't it? Until there's something like O_NONE to open files for
operations without I/O, this part of the system will never be perfectly
clean. The simplest solution is to make O_LINK synonymous with O_WRONLY.
---Dan
More information about the Comp.unix.internals
mailing list