[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080318150439.GB27000@mit.edu>
Date: Tue, 18 Mar 2008 11:04:39 -0400
From: Theodore Tso <tytso@....EDU>
To: Al Viro <viro@...IV.linux.org.uk>
Cc: Michael Tokarev <mjt@....msk.ru>, Andreas Schwab <schwab@...e.de>,
Linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: RFC: /dev/stdin, symlinks & permissions
On Tue, Mar 18, 2008 at 02:32:22PM +0000, Al Viro wrote:
> The real issue is that it was not Plan 9 semantics to start with.
>
> See 9/port/devproc.c and 9/port/devdup.c; the former is procfs and
> while it does have <pid>/fd, the sucker is not a directory - it's
> a text file containing (more or less) the pathnames of opened files
> of that process. The latter is an entirely different thing - it's
> a separate filesystem (#d instead of #p, FWIW). There you have
> per-descriptor files to open and yes, that'll give you dup(). What
> you do not have there is per-process part.
>
> IOW, you can get pathnames of opened files for other processes via
> procfs *AND* you can get open-that-does-only-dup for files in your
> descriptor table - on a separate filesystem.
Well, what we did was to make readlink() return the pathname, and
open() return a dup of the filesystem. I thought that was pretty
clever at the time, actually.
Yes, it wasn't completely the plan 9 semantics, but in terms of what
happened with when you opened the filesystem, it was equivalent to
dupfs.
Maybe our mistake was to make /dev/fd a symlink to /proc/self/fd, and
/dev/stdin a symlink to /proc/self/fd/0, et. al, since we don't get
the semantics exactly right compard to other operating systems.
> 1.2 tried to mix both. I'm not actually sure that it was a good idea wrt
> security, while we are at it...
What is the security problem that you are worried about? That it
might leak the pathname to someone who had an open file handle to the
file? That doesn't seem like a huge deal to me....
> We could implement Plan 9 style dupfs, but to do that without excessive
> ugliness we'd need to change prototype of ->open() - it must be able to
> return a reference to struct file different from anything it got from
> caller; probably the least painful way would be to make it return
> NULL => success, use struct file passed to ->open()
> ERR_PTR(-err) => error
> pointer to struct file => success, caller should drop the
> reference to struct file it had passed to ->open() and use the return value.
> Still a mind-boggling amount of churn - probably too much to bother with.
Yeah, ouch. The only other way to do it would be to add a new
function pointer to the file_operations() field which would only be
used filled in by procfs inodes, and then have the sys_open() routine
call that function pointer if open() was zero. But that would be
quite ugly....
- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists