Path: utzoo!attcan!uunet!wuarchive!udel!haven!adm!cmcl2!kramden.acf.nyu.edu!brnstnd From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein) Newsgroups: comp.unix.internals Subject: Re: Ideas for changes to Unix filesystem Message-ID: <20190:Feb712:13:4391@kramden.acf.nyu.edu> Date: 7 Feb 91 12:13:43 GMT References: <1991Jan30.143326.16676@socs.uts.edu.au> <121494@uunet.UU.NET> Organization: IR Lines: 21 In article richard@locus.com (Richard M. Mathews) writes: [ foo is mode 700 root, foo/bar is mode 666 root, some setuid program ] [ opens foo/bar for reading and passes the descriptor to user code ] > With flink(), the user could create a name for the file, reopen it for > write, and screw up the whole world. Nah. flink() would only work if you have the file open for writing. End of security problems. You say this is a limitation? Well--- (The *right* way to do this is to have an entirely separate bit: O_LINK, perhaps. The privileged program here would just make sure to leave O_LINK out of the open. See the O_NONE discussion that crops up now and then: people have proposed good uses for a few other bits.) ---it did occur to you that under the current system, you'd need either read or write access to open the descriptor for flink() in the first place. Didn't it? Until there's something like O_NONE to open files for operations without I/O, this part of the system will never be perfectly clean. The simplest solution is to make O_LINK synonymous with O_WRONLY. ---Dan Brought to you by Super Global Mega Corp .com