As a regular user:
1. An "open" call for read access and "read" calls work as "expected".
The user owning the pipe can suck the contents of the pipe out from
under the process. An "open" call for write (or read/write) access
returns ETXTBUSY, of all things.
I guess if the root partition is NFS exported (even read-only), we
could have a real security problem here with remote users sucking
out pipe contents, though I don't have the time to test this.
Also, if the NFS daemon (or some other program using sys_setfsuid)
creates an anonymous pipe at an inopportune moment, the pipe could
be compromised. Is there any more obvious way to exploit this? I
confess that I can't see one.
2. "chmod" calls work as expected.
3. "chown" and "chgrp" calls cause a kernel oops (!). My guess is that
this has something to do with "chown" and "chgrp" calls on things
that have existence in the dcache and nowhere else. This could be
a problem on filesystems using the new FS_IBASKET feature, so I'll
track this down when I get a minute.
The possible NFS-exploitation is probably enough to justify patching
this out. Should I send such a patch to Linus?
Kevin <buhr@stat.wisc.edu>