From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jamie Lokier Subject: Re: Does sendfile() copy extended attributes? Date: Sat, 20 Dec 2003 20:40:40 +0000 Sender: linux-fsdevel-owner@vger.kernel.org Message-ID: <20031220204040.GA28180@mail.shareable.org> References: <20031219163715.GA16578@mail.sternwelten.at> <006301c3c6f3$8274ef80$0201a8c0@joe> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "'maximilian attems'" , linux-fsdevel@vger.kernel.org Return-path: Received: from mail.shareable.org ([81.29.64.88]:16263 "EHLO mail.shareable.org") by vger.kernel.org with ESMTP id S261368AbTLTUkq (ORCPT ); Sat, 20 Dec 2003 15:40:46 -0500 To: "Joseph D. Wagner" Content-Disposition: inline In-Reply-To: <006301c3c6f3$8274ef80$0201a8c0@joe> List-Id: linux-fsdevel.vger.kernel.org Joseph D. Wagner wrote: > Because that violates one of the Immutable Laws of Security -- "If > you're running someone else's program, it's not your program anymore." That is equally the case if you're running someone else's function. > If my program executes another program like cp/rsync in your > example, it would be vulnerable to a privilege elevation when run as > root. A hacker could replace cp/rsync, change the PATH, or a dozen > other tricks to get it to execute his version of cp/rsync. A hacker could also change libc.so and thereby change the copy function. > Now if there's a function call that will copy a file -- other than > the sendfile function which is what this thread has been all about -- > I'm all ears. However, I am not going to execute another program. You are imagining a black box function which is specified to copy a file and its attributes. How can you know that function does not work by calling an external program? -- Jamie