Re: factoring out the change_root() and making exporting change_{root,dir}() as interface

[Christoph Badura <bad%bsd.de@localhost>]

On Wed, Jul 29, 2009 at 04:32:16AM +0300, Elad Efrat wrote:
> At the moment both of the exported change root interfaces call kauth(9)
> to authorize the operation.  Your patch exposes the internals,
> change_root(), allowing to bypass authorization. Is this your intention?
> if so, why?

It seems to me you are comparing apples and oranges.  The current
"exported" change root interfaces are system calls and export the
interface to the user-level.

I don't think my change exposes the internals.  In fact, it makes it
possible to to add another caller without that caller knowing the
internals!

Of course, I could just have copy&pasted the relevant code and you'd be
none the wiser.

But you raise a good point.  Because my change obviates the need to
re-implement the critical code it greatly improves our ability to check
that all calling sites do correct authorization: grepping for "change_root"
is so much more easier than doing a semantic analysis of arbitrary code
and trying to figure out if that code has a chroot-like effect.

--chris