[cap-talk] More Heresey: ACLs not inherently bad
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Wed Sep 24 09:27:20 CDT 2008
At Wed, 24 Sep 2008 10:35:02 +0200 (CEST),
"Rob Meijer" <capibara at xs4all.nl> wrote:
> I don't think the problem of editing a file before sudo would fit in with
> retrofit solutions either. If it could that would be very interesting to
> learn about. If an oblivious application has an open file handle opened
> with diminished (read only) rights, delegating write permissions to such
> an unchanged oblivious application on the opened file handle would seem
> like quite a challenge.
I agree that transparent backward compatibility is a challenge. But
the situation is not as bad as you make it sound, as your description
does not match how editors work. An editor who saves a file might for
example write the changed file to a new temporary file and rename that
to the original filename. The authority needed for this to occur are
usually derived from other objects rather than the read-only file
handle, for example the directory handles (in Unix: just the user ID
of the process, in the Hurd the user IDs associated with an
authenticated directory capability), and ACLs on the directory and the
original file.
In any case, this is how it works in the Hurd: The code that processes
signal requests like reauthentication is part of the C library, which
is dynamically linked to the binary executables. The C library also
controls all file descriptors, the current working directory, the root
directory, the effective user and group IDs of the process. So, it
can do a lot of magic "under the hood", transparent to the legacy
POSIX process. In particular, it can reauthenticate all directory and
file capabilities that have been acquired through use of the legacy
POSIX interface provided by the C library, and change the process IDs
as well to make sure that future operations also use this new authority.
It works surprisingly well. So well that the core problems with the
Hurd is that processes get to see too much of the new functionality
provided by the Hurd, breaking their expectations about interface
stability in subtle but interesting ways, see the referenced paper.
Thanks,
Marcus
More information about the cap-talk
mailing list