bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: untrusted translators


From: Thomas Bushnell BSG
Subject: Re: untrusted translators
Date: 21 Mar 2005 06:39:31 -0800
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

Marcus Brinkmann <marcus.brinkmann@ruhr-uni-bochum.de> writes:

> Now, we have our own temp reaper.  And a tmp reaper would be trivial
> if you would hack rm to have a "--do-not-follow-translator" option.
> But I believe that is not good enough.  The reason is that

So my response in the past has been "filesystem traversers need to
know about this new feature."

You are probably right indeed, however, when you say:

> 1) It is unfeasible to change all programs that traverse filesystems,
>    or just follow untrusted paths.  It may not even be possible to
>    easily find out which programs do that.  

Moreover, we have to re-program users, not just programs.  So even if
we could fix every program, we can't fix all their users:

> 3) This is the POSIX personality of the Hurd, and people will have
>    certain expectations about how to be secure.  

> I have posted a suggestion to fix this a long time ago, but can't find
> the mail right now (maybe I never sent it?).  The solution would be to
> always open nodes with O_NOTRANS, and if the translator bit is set,
> there is a user ID check.  If the user ID belongs to a trusted set,
> which by default is "0-XXX,myself" where 0-XXX is the range of system
> user IDs (this would be 0-999 on my system, I think), then the
> translator is followed.  Otherwise it is not followed, unless the user
> explicitely specifies a new flag O_TRANS.

Yes, that works; having it done through an environment variable makes
it fairly easy for users to overcome it when they want.  

I'm not sure this is the right fix, but it looks like it would work
well.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]