From: Theodore Tso <tytso@MIT.EDU>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Michael Tokarev <mjt@tls.msk.ru>, Andreas Schwab <schwab@suse.de>,
Linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: RFC: /dev/stdin, symlinks & permissions
Date: Tue, 18 Mar 2008 11:04:39 -0400 [thread overview]
Message-ID: <20080318150439.GB27000@mit.edu> (raw)
In-Reply-To: <20080318143222.GF10722@ZenIV.linux.org.uk>
On Tue, Mar 18, 2008 at 02:32:22PM +0000, Al Viro wrote:
> The real issue is that it was not Plan 9 semantics to start with.
>
> See 9/port/devproc.c and 9/port/devdup.c; the former is procfs and
> while it does have <pid>/fd, the sucker is not a directory - it's
> a text file containing (more or less) the pathnames of opened files
> of that process. The latter is an entirely different thing - it's
> a separate filesystem (#d instead of #p, FWIW). There you have
> per-descriptor files to open and yes, that'll give you dup(). What
> you do not have there is per-process part.
>
> IOW, you can get pathnames of opened files for other processes via
> procfs *AND* you can get open-that-does-only-dup for files in your
> descriptor table - on a separate filesystem.
Well, what we did was to make readlink() return the pathname, and
open() return a dup of the filesystem. I thought that was pretty
clever at the time, actually.
Yes, it wasn't completely the plan 9 semantics, but in terms of what
happened with when you opened the filesystem, it was equivalent to
dupfs.
Maybe our mistake was to make /dev/fd a symlink to /proc/self/fd, and
/dev/stdin a symlink to /proc/self/fd/0, et. al, since we don't get
the semantics exactly right compard to other operating systems.
> 1.2 tried to mix both. I'm not actually sure that it was a good idea wrt
> security, while we are at it...
What is the security problem that you are worried about? That it
might leak the pathname to someone who had an open file handle to the
file? That doesn't seem like a huge deal to me....
> We could implement Plan 9 style dupfs, but to do that without excessive
> ugliness we'd need to change prototype of ->open() - it must be able to
> return a reference to struct file different from anything it got from
> caller; probably the least painful way would be to make it return
> NULL => success, use struct file passed to ->open()
> ERR_PTR(-err) => error
> pointer to struct file => success, caller should drop the
> reference to struct file it had passed to ->open() and use the return value.
> Still a mind-boggling amount of churn - probably too much to bother with.
Yeah, ouch. The only other way to do it would be to add a new
function pointer to the file_operations() field which would only be
used filled in by procfs inodes, and then have the sys_open() routine
call that function pointer if open() was zero. But that would be
quite ugly....
- Ted
next prev parent reply other threads:[~2008-03-19 19:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-17 23:26 RFC: /dev/stdin, symlinks & permissions Michael Tokarev
2008-03-17 23:54 ` Andreas Schwab
2008-03-18 7:24 ` Michael Tokarev
2008-03-18 12:54 ` Theodore Tso
2008-03-18 14:32 ` Al Viro
2008-03-18 15:04 ` Theodore Tso [this message]
2008-03-23 16:50 ` H. Peter Anvin
2008-03-23 4:35 ` Denys Vlasenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080318150439.GB27000@mit.edu \
--to=tytso@mit.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=mjt@tls.msk.ru \
--cc=schwab@suse.de \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox