bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] New function (libfshelp) fshelp_cancontrol


From: Roland McGrath
Subject: Re: [PATCH] New function (libfshelp) fshelp_cancontrol
Date: Sat, 31 Mar 2001 22:35:35 -0500 (EST)

I am glad that you have taken a crack at this issue.  But I would like to
see a more comprehensive solution that ties up all the code related to this.

I'd like to have this same single checking function used for all the
control-the-world permission checks.  This includes all the "isroot"
settings used in trivfs and term and so forth, and also the more detailed
checks in things like chown.  In keeping with fshelp_isowner, it might be
natural to call this fshelp_isroot instead of cancontrol.  The code in
e.g. diskfs_S_file_chown would look like this:

     err = fshelp_isroot (&diskfs_underlying_stat, cred->user);
     if (!err)
     {
       err = fshelp_isowner (&np->dn_stat, cred->user);
       if (!err
           && ((uid != (uid_t) -1
                && !idvec_contains (cred->user->uids, uid))
               || (gid != (gid_t) -1
                   && !idvec_contains (cred->user->gids, gid))))
         err = EPERM;
     }
     if (!err)
          ... do it ...

There is the question of precisely which criteria to use.  pfinet has code
already that checks if the user has either root or the st_uid of the
underlying node (actually its value at startup).  Your code gets all the 
current ids.  In the common case of a passive translator, these are the same.

The auth calls you do are too expensive to do on every chown call (though
for fsysopts overhead is not such a concern).  But fortunately there is no
need to do it so often to get the same behavior.  You should just use the
libc geteuids and getgroups calls, which will use a cached value and only
do any RPCs once after the auth port is actually changed (by a call to
setuid or suchlike).  Perhaps there should be a convenience function
for making an idvec from the current ids.

I don't think it much matters which of these criteria we use.  

If pfinet's style is preferable, then it should at least consistently track
the st_uid/st_gid of the underlying node if it passes through changes (as
trivfs filesystems usually do).  Thus the interface in my example code
above, where fshelp_isroot takes a struct stat containing the last stored
state of the underlying node.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]