Date: Mon, 21 Jul 2003 21:31:44 +0200
From: Ingo Oeser <ingo.oeser@informatik.tu-chemnitz.de>
To: RAMON_GARCIA_F <RAMON_GARCIA_F@terra.es>, linux-kernel@vger.kernel.org
Subject: Re: Suggestion for a new system call: convert file handle to a cookie for transfering file handles between processes.)
Message-ID: <20030721213144.O639@nightmaster.csn.tu-chemnitz.de>
References: <5df3060bad.60bad5df30@teleline.es> <20030721172656.GA32597@delft.aura.cs.cmu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20030721172656.GA32597@delft.aura.cs.cmu.edu>; from jaharkes@cs.cmu.edu on Mon, Jul 21, 2003 at 01:27:06PM -0400
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1263
Lines: 28

On Mon, Jul 21, 2003 at 01:27:06PM -0400, Jan Harkes wrote:
> - Refcounting issues, a rogue application can quickle use up kernel
>   resources by requesting thousands of cookies, he isn't even limited by
>   per-process resource limits, as it is possible to open a file, grab a
>   cookie, and close the file. The only 'solution' you have is a timeout
>   on the cookie, possibly this could be extended by some scheme where
>   cookies are dropped more agressivly. But any such solution will either
>   not be sufficient to protect the system from resource exhaustion or
>   provide the opportunity for denial of service attacks.

Best of all: How big you make the number, doesn't matter: You can
always guess such numbers as a local attacker. If not now, then
in some years (want to recompile all existing applications then?).

cmsg(SCM_RIGHTS) is the much better solution, if you really have
processes, which are neither a sibling nor a parent/child
relationship.

And it's also ugly enough ;-)

Regards

Ingo Oeser
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/