On Fri Feb 02 2007 at 00:41:00 +0200, Elad Efrat wrote:
> +/*
> + * Check if the vnode is in a trusted path.
> + */
> +int
> +tpe_check(struct lwp *l, struct vnode *vp, struct vattr *va)

There's probably a good reason for the third parameter, but I'm missing
that now.

On Fri Feb 02 2007 at 08:44:31 +0900, YAMAMOTO Takashi wrote:
> > YAMAMOTO Takashi wrote:
> > >> +	/* XXX Must be owned by root. */
> > >> +	if (va->va_uid != 0)
> > >> +		return (EPERM);
> > >> +
> > >> +	/* Must not be writable by group or other. */
> > >> +	if (va->va_mode & (S_IWGRP | S_IWOTH))
> > >> +		return (EPERM);
> > >> +
> > >> +	return (0);
> > > 
> > > this kind of permission checks are filesystem dependent.
> > > consider acls or remote filesystems.
> > 
> > yes, that's why it's "simple".
> > 
> > how do you suggest doing it?
> > 
> > -e.
> 
> i have no good idea off hand.
> 
> VOP_ACCESS is the right way to check permissions,
> but it doesn't have "only root can.." functionality.
> we can change VOP, but it's almost impossible to implement
> for some filesystems.

... in which case we don't want the vattr argument to the function.
Also, it could encompass the notion of "vnode is a directory" in favour
of more transparent vnodes.  So essentially everything here would be
reduced to a single VOP-call.  And I don't see how that could be any
worse than these abstract checks for some file systems.

But I don't currently really care either way.

-- 
Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
http://www.iki.fi/pooka/                          http://www.NetBSD.org/
    "la qualité la plus indispensable du cuisinier est l'exactitude"