Date: Sat, 8 May 2004 08:03:12 -0700 From: David Schultz <das@FreeBSD.ORG> To: Marc Olzheim <marcolz@stack.nl> Cc: Tim Robbins <tjr@FreeBSD.ORG> Subject: Re: Unified getcwd() implementation Message-ID: <20040508150312.GA7381@VARK.homeunix.com> In-Reply-To: <20040508135954.GA469@stack.nl> References: <20040507092235.GA61837@stack.nl> <20040507100119.GA15782@cat.robbins.dropbear.id.au> <20040507235556.GB37035@empiric.dek.spc.org> <20040508010228.GA18935@cat.robbins.dropbear.id.au> <20040508012357.GA37547@empiric.dek.spc.org> <20040508030258.GA19512@cat.robbins.dropbear.id.au> <20040508044207.GB38736@empiric.dek.spc.org> <20040508070040.GA20138@cat.robbins.dropbear.id.au> <20040508135954.GA469@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 08, 2004, Marc Olzheim wrote: > On Sat, May 08, 2004 at 05:00:40PM +1000, Tim Robbins wrote: > > Both the current implementation and the proposed new implementation > > try to find the pathname use the namecache without authorization > > checks, then if that fails, go on to read the directories, but this > > time with authorization checks. What is the difference? > > standards/44425 mentions why the current implementation is not a bug in > the standards point of view. > > bin/22291, kern/30527, kern/39331 and kern/55993 are about issues we > have because of the current implementation. 30527 seems to be unrelated... > What would be gained from this patch is: > - consistency > - getcwd() having elevated permission to actually be able to find the > real cwd. The fact that the present implementation is inconsistent is a bug. Moreover, it's a small bug, with a patch already provided in standards/44425. Therefore, this is poor justification for completely replacing the current implementation. Recall that in POSIX, it's perectly legal to refuse to reveal the cwd when an the user lacks search permission to some ancestor directory. Moreover, refusing permission may be safer because it respects users' intent to revoke search permission. The present implementation is also less complex because it defers the hard cases to userland. On the other hand, we need to support the full-blown kernel version in the Linuxolator anyway, so we might as well do it once and do it right. But this doesn't necessarily mean it's a good idea to bypass restrictions on read permission. So in summary, I'm in support of the idea of unifying our getcwd implementations, modulo some of the details...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040508150312.GA7381>