fchroot(2) and others.
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sat Mar 27 16:41:24 PST 2004
On Sun, Mar 28, 2004 at 01:04:13AM +0100, Jilles Tjoelker wrote:
+> > http://people.freebsd.org/~pjd/patches/secure_syscalls.patch
+>
+> > I've also impelemnted safe versions of other syscalls:
+>
+> > int flink(int fd, const char *link);
+>
+> This means that you can access a file forever when you get a descriptor
+> on it once, which may not be desired. In any case, this gives more
+> rights than normal. You could mitigate this by requiring the caller to
+> own the file, or by following the same approach (fd+name) as in
+> funlink() and frename().
Actually if you are worring about this, so should use sysctl:
security.bsd.hardlink_check_[ug]id
+> > Maybe funlink(2) and frename(2) looks wired, but it should work.
+> > The idea is, that one cannot pass descriptor number only to those
+> > functions, because they're operating on file systems object names
+> > and there is no clean way to get path name from descriptor.
+>
+> It's actually impossible to get the path name, there may be zero names,
+> or more than one.
You can try to get path name from the VFS name cache (vn_fullpath(9)),
but that's why I called it non-clean-way.
--
Pawel Jakub Dawidek http://www.FreeBSD.org
pjd at FreeBSD.org http://garage.freebsd.pl
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20040328/73cddee1/attachment.bin
More information about the freebsd-arch
mailing list