Subject: Re: Addition to force open to open only regular files
To: Noriyuki Soda <>
From: Warner Losh <>
List: tech-kern
Date: 11/23/2000 23:07:26
In message <> Noriyuki Soda writes:
: There is no exploit that open_as() can fix but saved-ID feature
: cannot fix. Thus, open_as() is not needed.

Without seeing a good API on open_as, I'm inclined to agree.  Even
with a good API, I'd be inclidned to agree.  There's no way to get the
saved id's that people would want to use with the parameter to the
open_as call.  At least not in a library.  I've not seen how this can
be done in this thead unless theres a getsuid() and a getsgid() system
call added as well.  And if there is, one can always do the seteuid()
trick that soda-san has been talking about, unless the process has
used setreuid() to do its ID swapping, in which case you can't do the
id swapping.

People seem to want an access(2) like system call that is really an
open_with_saved_id() rather than an open_as() since you'd want to
restrict the open_as semantics to only be a few select uids.  If you
open the file with the right creditials, doing the double open dance
is just a waste and unnessary.  If someone is racing you, it doesn't
matter since if you win the race, you open a file you have access to,
if you lose, you can't.

On a political note, I suspect that there will be a lot of pressure
for the other BSDs to pick up things like this, and I strongly suspect
that it will be an extreme firefight to get it into FreeBSD.  It seems
too specialized to be worth the fight.

It seems that the introduction of setr*id() has caused more problems
than the minor compatibility that it gave with other systems. :-)