On Tue, 28 Nov 2000, Bill Studenmund wrote:

# Vnode locks should NEVER be held when a system call returns to userland.
# If you do that, you open up a huge Denial of Service attack:

D'oh!  You're right, of course!

# reserve(pathname, other options); for (;;;) stat(pathname, &a buffer);
# 
# You've just panic'd the computer. This (the lossage resulting from leaving
# a vnode locked) is called, "the race for root."

Okay, is there a reason that getfh() shouldn't be mortal-enabled? It
already does path checking for accessibility; and since a stat() on a
non-readable file is ok, fhstat shouldn't be a problem, either.
And finally, why not make fhopen() respect the permissions on the given
file?

I.e. why are these calls restricted to the super-user?  They'd be great
for providing against race conditions which might occur in the mortal
realm...

I must be missing something.

				--*greywolf;
--
*BSD: The Power of Code.