[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Fri Dec 18 04:58:41 PST 2009
Rob Meijer wrote:
> The process of creating an anonymous file to my knowledge still uses
> linking into a namespace that is vulnerable to race condition attacks.
It's only vulnerable if used incorrectly ever since O_EXCL was added, see
mkstemp(3).
> That is in the anonymous file creation I've seen, you do an open/create
> call followed by an unlink. Is there a way to create an anonymous file
> without using a temporary namespace to link it into?
The GNU/Hurd implemented an extension to the POSIX API that allowed creation
of anonymous, unnamed files (the files were never linked into the filesystem).
The GNU/Hurd is a capability system, but the same functionality could be
implemented in a normal Unix-like system as well. However, the usual reasons
prevent this from happening (it would be redundant, and applications/libraries
couldn't rely on the new interfaces being available anyway, so nobody would
use it as there is no significant benefit over the existing method).
Thanks,
Marcus
More information about the cap-talk
mailing list