From owner-cvs-all  Fri Apr 19  7:45:53 2002
Delivered-To: cvs-all@freebsd.org
Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18])
	by hub.freebsd.org (Postfix) with ESMTP
	id C1EBD37B41C; Fri, 19 Apr 2002 07:45:46 -0700 (PDT)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [IPv6:fec0::1:12])
	by Awfulhak.org (8.12.2/8.11.6) with ESMTP id g3JEjjUq000594;
	Fri, 19 Apr 2002 15:45:45 +0100 (BST)
	(envelope-from brian@freebsd-services.com)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.12.3/8.12.3) with ESMTP id g3JEjXSg095842;
	Fri, 19 Apr 2002 15:45:33 +0100 (BST)
	(envelope-from brian@freebsd-services.com)
Message-Id: <200204191445.g3JEjXSg095842@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: Robert Watson <rwatson@FreeBSD.org>
Cc: Garrett Wollman <wollman@lcs.mit.edu>,
	"M. Warner Losh" <imp@village.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, brian@freebsd-services.com
Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c src/sys/sys filedesc.h 
In-Reply-To: Message from Robert Watson <rwatson@FreeBSD.org> 
   of "Fri, 19 Apr 2002 10:40:44 EDT." <Pine.NEB.3.96L.1020419103914.64976x-100000@fledge.watson.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 19 Apr 2002 15:45:33 +0100
From: Brian Somers <brian@freebsd-services.com>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> 
> On Fri, 19 Apr 2002, Garrett Wollman wrote:
> 
> > <<On Thu, 18 Apr 2002 22:01:25 -0600 (MDT), "M. Warner Losh" <imp@village.org> said:
> > 
> > > There is no other way to fix this than in the kernel...
> > 
> > Sure there is -- make sure that every privileged process has something
> > on every fd.  You could do it in csu (although from a standards
> > perspective that would make no difference).  Or, alternatively, rather
> > than changing exec(), you could change fdalloc() to never return fd 0,
> > 1, or 2 except when explicitly requested by dup2() -- although this
> > would break some seriously old programs that expect to be able to do
> > 
> > 	fd = open(...)
> > 	close(1);
> > 	dup(fd);
> > 
> > and have it work.  (These programs are broken anyway -- the Standard
> > does not guarantee any particular order of fd allocation.) 
> 
> The policy decision regarding whether a program is "privileged" still has
> to be made in the kernel, regardless of whether the fd problem is
> addressed in kernel or user space.  We discussed the "don't return 0 1 and
> 2" fd's, but apparently many programs specifically rely on 0 1 and 2 being
> returned sequentially, and that is written into some spec or another.  I
> think this solution is a reasonable one -- many of the other "easy"
> solutions more explicitly violate the specs than this one, as far as I can
> tell.

The spec is dup(2).  It's not documented in open(2), but people make 
the assumption.

> Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
> robert@fledge.watson.org      NAI Labs, Safeport Network Services

-- 
Brian <brian@freebsd-services.com>                <brian@Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message