Re: Some ideas for the kernel wishlist

H. Peter Anvin (hpa@transmeta.com)
5 Apr 1998 19:45:32 GMT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Emmanuel Marty: "fixes to arch/i386/boot/bootsect.S"
Previous message: Bryn Paul Arnold Jones: "Re: Some ideas for the kernel wishlist"
Maybe in reply to: marekm@i17linuxb.ists.pwr.wroc.pl: "Some ideas for the kernel wishlist"

Followup to: <C12565DD.0054CEB2.00@do-notes01.ExperTeam.de>
By author: Roderich Schupp <rsch@ExperTeam.de>
In newsgroup: linux.dev.kernel

> > - "real" /dev/fd/n devices like on some other systems where,
> > if the file descriptor n is open, these two system calls
> > have the same effect:
> > fd = open("/dev/fd/n", mode);
> > fd = dup(n);
> > (mode is ignored, EBADF if file descriptor n is not open;
> > note that the /dev/fd -> /proc/self/fd symlink is not
> > exactly the same).
> Correct, opening /proc/self/fd/n doesn't give you a shared file
> descriptor. Is this a bug or a feature? Is it possible to change this?
> Or is it a job for ... DEVFS?

It's a bug, but it requires VFS changes to change. I have discussed
this with Linus and Bill Hawes, and we have a pretty good idea of what
needs to be fixed. I am going to try to do the work, but it is
questionable in my mind if this will be a change appropriate for 2.2.

> > This can be useful to allow reasonably
> > safe implementation of setuid scripts (open the script
> > and pass /dev/fd/n as the script name to the interpreter).
> Checking on this, I was shocked to discover that Linux still doesn't
> support setuid scripts.

This is a feature. It should be up to the script interpreter (with
assistance of the sysadmin) to set this policy, not the kernel.
Allowing setuid scripts effectively means setting the setuid bit on
one file makes *another* file setuid, and that is not good.

The Linux kernel is doing exactly the right thing (honouring the
setuid bit on the interpreter, not on the script itself.) If the
interpreter is equipped to handle setuid scripts, it can securely
fstat() and setuid(). Perl does this, for example. bash doesn't,
because bash isn't equipped to handle setuid scripts securely.
>
> BTW looking at binfmt_script.c I see that it
> restricts you to 127 characters for the name of the script interpreter
> and the arguments combined (the number 128 is event hard-coded in
> several places). In fact, there can be at most one argument to the
> interpreter. If someone had described this limits to me and asked me
> to guess the flavor of Un*x from it, I'd bet on some darn old SysV3
> system :(

That's because it's up to the interpreter to break up the argument
string.

-hpa

-- 
    PGP: 2047/2A960705 BA 03 D3 2C 14 A8 A8 BD  1E DF FE 69 EE 35 BD 74
    See http://www.zytor.com/~hpa/ for web page and full PGP public key
        I am Bahá'í -- ask me about it or see http://www.bahai.org/
   "To love another person is to see the face of God." -- Les Misérables

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Emmanuel Marty: "fixes to arch/i386/boot/bootsect.S"
Previous message: Bryn Paul Arnold Jones: "Re: Some ideas for the kernel wishlist"
Maybe in reply to: marekm@i17linuxb.ists.pwr.wroc.pl: "Some ideas for the kernel wishlist"