[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.
Rob Meijer
capibara at xs4all.nl
Wed Dec 16 22:40:37 PST 2009
On Thu, December 17, 2009 02:48, David-Sarah Hopwood wrote:
> Ben Kloosterman wrote:
>> Hi Rob ,
>>
>> Actually I have become more interested in non Mutable objects with
>> F#(Caml)
>> and use non mutable for Asynch IPC between processes ( it solves a lot
>> of GC
>> related issues) . Completely agree regarding temp and each app should
>> have
>> its own temp dir that gets cleared ( I did run into a Windows Terminal
>> Server issue where users were reading each other's files in temp a long
>> time
>> ago. ). One issue with tmp is System admins often use different disk
>> sets
>> for this for performance reasons so tmp/appid prob makes more sense
>> than
>> under the app dir.
>
> There seems to be an implicit assumption here that files need to be linked
> into a namespace. They don't; just create an anonymous file (if you need
> temporary objects to be files at all).
>
The process of creating an anonymous file to my knowledge still uses
linking into a namespace that is vulnerable to race condition attacks.
That is in the anonymous file creation I've seen, you do an open/create
call followed by an unlink. Is there a way to create an anonymous file
without using a temporary namespace to link it into?
Further I would be interested to learn why you feel anonymous files would
be better than the seperate (decomposable and delegatable) $TMP namespace
for each pid approach that MinorFs uses.
Rob
More information about the cap-talk
mailing list