Re: [PATCH] new syscall: flink

Olivier Galibert (galibert@pobox.com)
Mon, 7 Apr 2003 13:02:03 +0200


On Mon, Apr 07, 2003 at 10:09:15AM +0100, Malcolm Beattie wrote:
> Here's another example along similar lines: you can open a file
> O_APPEND and pass the descriptor along to another process (e.g. a
> security mediator process that hands out a file descriptor to a
> less-trusted recipient that it can use for appending entries only).
> fcntl() explicity prevents the clearing of the O_APPEND flag on a
> file which was opened with O_APPEND. With flink, one could flink()
> and re-open without O_APPEND: security hole.

That would be a big security hole waiting to happen though. Nothing
forces the less trusted recipient not to send in zeroes or finish the
lines (for a text file) or respect a particular format (for a binary
file).

In practice, I tend to think that any secutiry scheme flink breaks is
brittle at best. It requires passing a fd to a file which is owned by
the same uid than the untrusted process, and rely somehow on the
directory structure to prevent direct access to said file. But the
trusted process must have had access to the file somehow, so, well,
it's really, really brittle.

/proc breaking it already isn't very surprising.

OG.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/