>That's not the issue. If you open a file O_RDONLY and pass the fd off to
>someone else (say, a subprocess running with the same credentials), all they
>can do is read the file. If the file also exists in the namespace, they can
>reopen it O_RDWR and modify the file. If flink() exists, they can create
>their own name and open it with whatever mode they like. This would break
>code which assumes that if it passes off a RO file descriptor, that it will
>always be RO.
>Naturally you can still fchmod the file, but if you're talking about the case
>of an anonymous temp file, it doesn't matter what the permissions are once
>its open and has no name.
One issue that seems to have been missed in this discussion is that if
we're dealing with root owned processes passing open file handles to processes
running as non-root then the file may be in a directory (or under a directory
tree) which doesn't have execute access by the process in question. So you
may have a spool directory for a daemon such as a mail server daemon that
denies execute access to normal users. Then when the mail is delivered a
process specified by the user is run to deliver the mail, if this process
could then make a link from the file in the spool directory to somewhere else
then it could defeat the quota system if nothing else.
-- ----------------------------------------------------------- In return for "mailbag contention" errors from buggy Exchange servers I'll set my mail server to refuse mail from your domain. The same response applies when a message to a postmaster account bounces. "Russell Coker - mailing lists account" <bofh@snoopy.virtual.net.au> -----------------------------------------------------------
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu