Posix shared memory problem
Robert Watson
rwatson at FreeBSD.org
Thu May 21 09:36:33 UTC 2009
On Mon, 11 May 2009, Garrett Wollman wrote:
> <<On Mon, 11 May 2009 11:25:37 +0200, Lothar Scholz <scholz at scriptolutions.com> said:
>
>> Some idiots started to think about this as a file path. But it isn't
>> and it shouldn't.
>
> Actually, it really should be. Ask a security person or a virtualization
> person to explain why an unnecessary multiplicity of namespaces is a bad
> idea.
Despite having been partly responsible for the new POSIX shm code in 8.x that
removes file system namespace use for POSIX shm, I strongly agree with your
statement.
The hierarchal and access-controlled structure of the file system namespace is
a key feature that makes it preferable to the plethora of other weird global
namespaces arriving with various new IPC models. A hierarchal namespace with
access control allows reliable delegation of portions of the namespace -- for
example, administrators can authorize a user to use any name in
"/home/username" without worrying that users will spoof each others services
based on application start order, crashes, etc. The existence of additional
flat namespaces, such as used by System V IPC, POSIX shm, POSIX sem, etc, is
quite problematic from this perspective, and significantly increases the risk
of vulnerability.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-arch
mailing list