On Fri, 24 Nov 2000, Greywolf wrote:

> I'm wondering:  Why isn't fhopen() modified to check existing permissions
> before returning the descriptor?  getfh() doesn't appear able to bypass
> hierarchy permissions at random; all fhopen() does is guarantee that it'll
> return a descriptor to the file in question if it still exists.

Being the author of fhopen(), I can answer this. :-)

fhopen() doesn't check permissions because it is only usable by the super
user. It will never be usable by non-super users because that opens up an
attack vulnerability.

There is no way to ensure that the file handle passed to fhopen() came
from getfh(), so there's no way to ensure that the hierarchy checks
getfh() would have made (if it too were usable by non-super users) were
done. The structure of the contents of a file handle are documented in
various parts of the source, so file handles can be crafted. Itterate, and
you have an attack.

Take care,

Bill