Chris Evans writes:
> On Thu, 31 Aug 2000, Tigran Aivazian wrote:
> > Actually, microcode driver checks CAP_SYS_RAWIO only on open() so it would
> > allow access to the receiver of fd even he has no CAP_SYS_RAWIO
> > privilege. Hmmm, maybe I should put it back into write() method, as Linus
> > (or someone else) did at some point (and I removed it)...
> Please don't put it back into write(). One of the powerful uses of passing
> fds is across privilege boundaries. We don't want that to suddenly stop
> Look at it this way: if anyone passes a privileged fd, they either
> know what they are doing, or get what they deserve.
I agree. Firstly, you can't frob random memory with the MTRR driver,
so it clearly doesn't need CAP_SYS_RAWIO. Secondly, if a privileged
process (i.e. one which can open RW) wishes to pass the FD, then that
should be allowed.
Besides, we have this nice access control method in Unix: file
permissions. Why not use it?
So, I'm inclined to replace the calls to suser() with a check for
write access on the filp.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to email@example.com
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:11 EST