On Fri, 26 Feb 1999, Bill Sommerfeld wrote:

> An interface like this could be very useful for (e.g.) coda and AFS
> servers. 
> 
> (putting on my security geek hat)
> 
> I assume that calls which take a file handle will be restricted to
> root only, securelevel < 2, or thereabouts?

I don't think securelevel checks are good as securelevel 2 == server
level, and we want these calls usable in the server. :-)

I'm uncertain about the need to be rootness IFF you aren't in a chroot'd
environment. Because you still have to have access permissions to perform
whatever operation you want. I.e. fhopen would still check that you can
open the file for whatever access you want. And you wouldn't be able to
write to a file you didn't open for write, etc.

The one opening I can see is you could conceivably gain access to a file
which you were bared from due to not being able to search a parent
directory. Thus the not-if-chroot'd requirement.

It might be interesting to permit non-root access (subject of course to
the normal access rights) as then you could run your server as non-root.

Take care,

Bill