Re: RFC: BSD system call revoke?

Matthew Kirkwood (weejock@ferret.lmh.ox.ac.uk)
Thu, 24 Jun 1999 20:33:03 +0100 (GMT)


On Thu, 24 Jun 1999 hagopiar@vuser.vu.union.edu wrote:

> On Wed, 23 Jun 1999, Chris Evans wrote:
> > 2) The impact of allowing arbitrary users to call revoke() on files they
> > own is unassessed, making it very very dangerous. root-owned processes
> > often deal with users' files, and may not be prepared to deal with a file
> > descriptor disappearing from under them. Hence I suggest limiting this
> > call to block devices/char devices.

> Should a user be able to revoke a file descriptor opened by a root
> processes in the first place?

Maybe, especially if/when root ceases to mean anything special.

This (and the mmap issue) are some of the difficult issues that
the BSD people avoided merely by ignoring them (only root can
use revoke(), and it doesn't affect mapped areas).

I believe that the call is generally useful and should be made
available to users, rather than being restricted to CAP_REVOKE
or CAP_DAC_OVERRIDE.

The semantic issues are hard, though.

Matthew.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/