Re: Please read if you use x86 -current

[der Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>>> Unfortunately, this requires giving user code access to raw disks,
>>> which poses essentially the same set of security risks in the long
>>> term.
>> How exactly did you arrive at that conclusion?
> If user code can overwrite your root filesystem by accessing the
> wrong disk sectors [...]

If "giving...access to raw disks" is an all-or-nothing proposition,
that is, if you can't grant access to one disk without granting access
to all, you're right.

But I see no reason why granting access to (say) sd0* has to also grant
access to wd* or sd1*, or why granting access to sd0e has to also grant
access to sd0[^e].  Certainly using chmod today doesn't do either, and
I can imagine ways (such as passing an already-open fd when the kernel
invokes the handler) which have essentially no risk beyond what is
truly necessary for the filesystem handler to do its job.  (There's
still the overlapping-partition question, but there is no way to make
that one go away short of outright forbidding overlapping partitions,
since a mount for write _must_ be able to write to its partition.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B