From owner-freebsd-arch@FreeBSD.ORG Sat Mar 27 16:41:24 2004 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C48A16A4D0 for ; Sat, 27 Mar 2004 16:41:24 -0800 (PST) Received: from darkness.comp.waw.pl (unknown [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B57D43D2F for ; Sat, 27 Mar 2004 16:41:24 -0800 (PST) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 10633AC995; Sun, 28 Mar 2004 01:41:23 +0100 (CET) Date: Sun, 28 Mar 2004 01:41:23 +0100 From: Pawel Jakub Dawidek To: Jilles Tjoelker Message-ID: <20040328004123.GV8930@darkness.comp.waw.pl> References: <20040327203620.GR8930@darkness.comp.waw.pl> <20040328000413.GA6185@stack.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sk1WQj/bN1s+tUrY" Content-Disposition: inline In-Reply-To: <20040328000413.GA6185@stack.nl> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: freebsd-arch@freebsd.org Subject: Re: fchroot(2) and others. X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Mar 2004 00:41:24 -0000 --sk1WQj/bN1s+tUrY Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 28, 2004 at 01:04:13AM +0100, Jilles Tjoelker wrote: +> > http://people.freebsd.org/~pjd/patches/secure_syscalls.patch +>=20 +> > I've also impelemnted safe versions of other syscalls: +>=20 +> > int flink(int fd, const char *link); +>=20 +> This means that you can access a file forever when you get a descriptor +> on it once, which may not be desired. In any case, this gives more +> rights than normal. You could mitigate this by requiring the caller to +> own the file, or by following the same approach (fd+name) as in +> funlink() and frename(). Actually if you are worring about this, so should use sysctl: security.bsd.hardlink_check_[ug]id +> > Maybe funlink(2) and frename(2) looks wired, but it should work. +> > The idea is, that one cannot pass descriptor number only to those +> > functions, because they're operating on file systems object names +> > and there is no clean way to get path name from descriptor. +>=20 +> It's actually impossible to get the path name, there may be zero names, +> or more than one. You can try to get path name from the VFS name cache (vn_fullpath(9)), but that's why I called it non-clean-way. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --sk1WQj/bN1s+tUrY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAZh8zForvXbEpPzQRAhJZAJsFsSIwqKXa+F2TVzxmf3nshScj3ACguaMb ge98EfGKzrlJH8rKjMm6zAI= =fnCA -----END PGP SIGNATURE----- --sk1WQj/bN1s+tUrY--