To find out the names of open files in a process
Russell Kent
kent at tifsie.UUCP
Tue Feb 2 11:00:35 AEST 1988
in article <904 at thorin.cs.unc.edu>, gallmeis at wasp.cs.unc.edu (Bill Gallmeister) says:
> I promised myself I wouldn't get into this. So here I am. What's wrong
> with rewriting the library routines so they squirrel away file names +
> file statistics, then pass them over when the process gets migrated? It
> really seems that the mapping of filename to inode can be done outside
> of the kernel. And therefore should be. Run the processes under control
> of a "puppet master" that knows how to do these things. Much better than
> modifying the kernel, although it doesn't look quite as good on the resume...
> Bill O. Gallmeister gallmeis at cs.unc.edu
Migrating the pathname to inode number translation from the kernel into
the user space would:
1. Eliminate some of the file access security afforded by the
present scheme.
2. Destroy the orthogonality of the physical resource naming
Explanations:
As we all know, the kernel uses the execute bit (x bit) of a directory
to allow "search" permission, as opposed to "read" permission which
is still handled by the read bit (r bit). Presently, it is possible to
construct to path types which I will call "under glass", and "blackhole."
An "under glass" pathname is one in which the terminal directory
(ie next-to-last pathname component) is readable, but not searchable.
This allows programs to see that the file exists, but does not
allow it to open the file (the clever reader will note that this is
easily accomplished with the permissions on the file itself -- I never
said that this was a _useful_ technique 8-).
A "blackhole" pathname is on in which at least one of the directories
in the pathname is searchable but not readable. This allows programs
to access the file _if_ they already know the pathname. Since the
directories are not readable, then (with some careful naming) the
file is effectively inaccessible unless the name is already known.
This can be used where the other security techniques provided by
the system are ineffective, awkward, or have potentially unpleasant
side-effects. (SA's golden rule: every setuid root program is a
potential disaster)
These are admittedly esoteric objections; but what about that
panacea for nearly all security problems: chroot(). How
will you implement this if the user/kernel open is done
with inode numbers? (Of course, the _truely_ mischievous user
can be dealt with by more extreme measures such as putting his/her
home directory on /dev/tape 8-).
As for the orthogonality of the name space of physical resources,
I can best demonstrate with a question: What is the inode number
of /dev/ra0a? Or of /dev/tty03?
--
Russell Kent Phone: +1 214 995 3501
Texas Instruments UUCP address:
P.O. Box 655012 MS 3635 ...!convex!smu!tifsie!kent
Dallas, TX 75265 ...!ut-sally!im4u!ti-csl!tifsie!kent
More information about the Comp.unix.wizards
mailing list