Date: Sun, 26 Jan 2003 17:21:06 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: Garrett Wollman <wollman@lcs.mit.edu> Cc: Poul-Henning Kamp <phk@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/disklabel disklabel.c Message-ID: <Pine.NEB.3.96L.1030126171900.24134P-100000@fledge.watson.org> In-Reply-To: <200301262214.h0QMEfiV078221@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 26 Jan 2003, Garrett Wollman wrote: > <<On Sun, 26 Jan 2003 13:55:43 -0800 (PST), Poul-Henning Kamp <phk@FreeBSD.org> said: > > > If we fail to open O_RDWR, try opening O_RDONLY, if we use ioctls > > to fiddle the disk we can get away with it. > > Uh, if the ioctls actually succeed in fiddling the disk, that's a > serious security problem. > > Probably there should be a separate .ctl node for these sorts of > operations. We've always had a problem with ioctl's operating on storage devices regardless of the open mode (and permitted access modes) for the devidce nodes. For some device drivers, mediation occurs in the ioctl() implementation via some arbitrary calls to suser(), but for many, it doesn't. Unfortunately, ioctl() is intentionally a semantic-free interface such that mediation must always be done at the device layer, and we can't perform masking at higher layers where we have the open mode available. If we passed the 'struct file' mode down the stack more, we could clean that up some, although the result would still arguably be unclean. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030126171900.24134P-100000>