Date:	27 Apr 2015 01:38:23 -0400
From:	"George Spelvin" <linux@...izon.com>
To:	luto@...aptial.net, torvalds@...ux-foundation.org
Cc:	linux@...izon.com, linux-kernel@...r.kernel.org
Subject: Re: Sharing credentials in general (Re: [GIT PULL] kdbus for 4.1-rc1)

Linus wrote:
> It would be insane to say that the open system call should have an
> explicit argument saying that the vfs layer should take your privileges
> into account.

On the contrary, it would be a big improvement on the current interface.

To be clearer, it would be great if the open system call took an explicit
argument saying *which* privileges it should take into account.

All that screwing around with uid, euid and fsuid and crap would be
a lot simpler if it was explicit in the open() call which permissions
were desired.

In my "If I had a time machine and could go back and talk to Ken & Dennis"
fantasy, there would be no open(), only openat(), and the permissions
would be associated with the dirfd.

In addition to the now-current standard three fds, there would be
additional ones for root and cwd.  And, in a setuid program,
a separate set for effective uids.

So openat(fd, path, flags) would use the real or effective permissions
depending on which fd was in use.  A process could drop permissions
by closing the associated fd.  Etc.

(And a program which was written without setuid awareness would only
use the real-uid dirfds, and the setuidness would do nothing.)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists