Posix shared memory problem

Robert Watson rwatson at FreeBSD.org
Thu May 21 09:36:33 UTC 2009

On Mon, 11 May 2009, Garrett Wollman wrote:

> <<On Mon, 11 May 2009 11:25:37 +0200, Lothar Scholz <scholz at scriptolutions.com> said:
>> Some idiots started to think about this as a file path. But it isn't
>> and it shouldn't.
> Actually, it really should be.  Ask a security person or a virtualization 
> person to explain why an unnecessary multiplicity of namespaces is a bad 
> idea.

Despite having been partly responsible for the new POSIX shm code in 8.x that 
removes file system namespace use for POSIX shm, I strongly agree with your 

The hierarchal and access-controlled structure of the file system namespace is 
a key feature that makes it preferable to the plethora of other weird global 
namespaces arriving with various new IPC models.  A hierarchal namespace with 
access control allows reliable delegation of portions of the namespace -- for 
example, administrators can authorize a user to use any name in 
"/home/username" without worrying that users will spoof each others services 
based on application start order, crashes, etc.  The existence of additional 
flat namespaces, such as used by System V IPC, POSIX shm, POSIX sem, etc, is 
quite problematic from this perspective, and significantly increases the risk 
of vulnerability.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the freebsd-arch mailing list