Date: 27 Apr 2015 01:38:23 -0400
Message-ID: <20150427053823.9847.qmail@ns.horizon.com>
From: "George Spelvin" <linux@horizon.com>
To: luto@amcaptial.net, torvalds@linux-foundation.org
Subject: Re: Sharing credentials in general (Re: [GIT PULL] kdbus for 4.1-rc1)
Cc: linux@horizon.com, linux-kernel@vger.kernel.org
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1437
Lines: 33

Linus wrote:
> It would be insane to say that the open system call should have an
> explicit argument saying that the vfs layer should take your privileges
> into account.

On the contrary, it would be a big improvement on the current interface.

To be clearer, it would be great if the open system call took an explicit
argument saying *which* privileges it should take into account.

All that screwing around with uid, euid and fsuid and crap would be
a lot simpler if it was explicit in the open() call which permissions
were desired.

In my "If I had a time machine and could go back and talk to Ken & Dennis"
fantasy, there would be no open(), only openat(), and the permissions
would be associated with the dirfd.

In addition to the now-current standard three fds, there would be
additional ones for root and cwd.  And, in a setuid program,
a separate set for effective uids.

So openat(fd, path, flags) would use the real or effective permissions
depending on which fd was in use.  A process could drop permissions
by closing the associated fd.  Etc.

(And a program which was written without setuid awareness would only
use the real-uid dirfds, and the setuidness would do nothing.)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/