|
|
On Wed, 16 Jul 2008 13:34:34 -0700
Jason Thorpe <thorpej@xxxxxxxxxxxxxx> wrote:
>
> On Jul 16, 2008, at 7:47 AM, Matt Thomas wrote:
>
> > Besides the fhopen(2) previously mentioned, this isn't available
> > because it would break the security used by unix.
>
>
> Other Unix-like platforms (Mac OS X) can do this without breaking
> the Unix security model. We should be able to, too.
>
I'm curious how they do it. Today, I can safely have a mode 666 file
inside a 700 directory. A setuid program can cd to that directory,
surrender privilege, and then operate on the files. The real user
can't get to that directory, and hence can't touch the files -- but if
it could open things by i-node number, it could. (I first saw that
technique used in an old MTA, MMDF, circa 1979.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
|
|