Re: [PATCH RFC v2] fhandle: expose u64 mount id to name_to_handle_at(2)
From: Christoph Hellwig
Date: Tue Jun 04 2024 - 01:22:38 EST
On Sat, Jun 01, 2024 at 01:12:31AM -0700, Aleksa Sarai wrote:
> Not to mention that providing a mount fd is what allows for extensions
> like Christian's proposed method of allowing restricted forms of
> open_by_handle_at() to be used by unprivileged users.
As mentioned there I find the concept of an unprivileged
open_by_handle_at extremely questionable as it trivially gives access to
any inode on the file systems.
> If file handles really are going to end up being the "correct" mechanism
> of referencing inodes by userspace,
They aren't.
> then future API designs really need
> to stop assuming that the user is capable(CAP_DAC_READ_SEARCH).
There is no way to support open by handle for unprivileged users. The
concept of an inode number based file handle simply does not work for
that at all.