Subject: Re: Addition to force open to open only regular files
To: NetBSD Kernel Technical Discussion List <>
From: Greg A. Woods <>
List: tech-kern
Date: 11/16/2000 21:09:29
[ On Thursday, November 16, 2000 at 15:49:00 (-0800), Bill Studenmund wrote: ]
> Subject: Re: Addition to force open to open only regular files
> > It seems to mee that the obvious solution to this problem is to
> > re-design or remove the feature that's causing the problem in the first
> > place, not to re-design the entire system so that this feature can be
> > used safely as-is!
> Uhm, what makes you think we are re-designing the whole system?

A bit over-dramatised, I guess.  I should have continued to try to be
very explicit.  I meant only the underlying credentials part of the
systems (eg. the proposed fsuid), or the addition of a major new system
call (eg. open_as() or whatever it might be called).

> And what makes you think we are proposing this? I have to ask, what
> exactly do you think we are proposing? Because from my understanding of
> what I proposed, you are on a different page than the rest of us.

I have no idea what "you" are proposing in particular for the
$HOSTALIASES problem, if anything -- I've only seen the various comments
posted here in tech-kern and similar places, and I'm simply pointing out
that they're mostly addressing the wrong problem from the wrong
direction.  There have been lots of different "pages" in this and the
prior related thread, so I'm not surprised that different people are on
different pages of it.  I'm personally trying to stay one level up,
except for my particular views on $HOSTALIASES itself:

> As long as you continue to express the inflexability you show above,
> people who disagree with you will pursue the only option the situation
> leaves them - ignore you. Is that really what you want?

As Warner has already pointed out, lots of the world already does
without this dangerous feature and they don't seem too unhappy about it
going missing....

Whether some NetBSD developers might find it inconvenient or not is
really of no concern of mine, and whether or not they ignore me isn't
really a big issue to me either.  Hopefully those who don't have some
vested interest in $HOSTALIASES will consider my thoughts on the higher
level issues and debate their pros and cons and not get distracted by
this particular example feature which has spurred this discussion.

I'm very much against an open_reg() or open_type() system call in the
manner of the one proposed at the start of this particular thread, but
I wouldn't quibble much about an open_as() call, especially if it found
support in other systems and maybe even standards bodies.

I'm not sure it needs to be generalised over other file related calls,
or not (and if so then indeed it may make sense to hide it within a file
access credential).

I'm not even sure anything new is necessary if set-ID programs are kept
small and used carefully....

Even $HOSTALIASES could persist under some conditions if no set-ID-root
program ever used the resolver routines.

							Greg A. Woods

+1 416 218-0098      VE3TCP      <>      <robohack!woods>
Planix, Inc. <>; Secrets of the Weird <>