Steven M. Bellovin wrote:
> On Sun, 04 Feb 2007 06:57:21 +0200
> Elad Efrat <elad@NetBSD.org> wrote:
> 
>> christos suggested we can make the code in login(1) a bit smarter: it
>> would readlink("/tmp") and if it's a symlink, it would take the
>> componenet of the link target up to "@uid" (say, "/private/tmp", in
>> the case of "/private/tmp/@uid") and create the private temp dir
>> there.
>>
> 
> Maybe we can think a bit more ambitiously about this, and have
> per-process mounted file systems, similar to Plan 9's.  These would be
> inherited via fork(), of course.
> 
> My suggestion raises some interesting questions for setuid programs,
> but I suspect that yours does, too.
> 
> 
> 
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
Steve,
you have gently hit on the issue that made me think of the humorous side 
of this effort - I still find humor where other don't - and that is the 
range of testing and verification that will have to be done to ensure 
that this does not produce a vulnerability.
Yes, it is a good idea. Yes, there will have to be some solid work, not 
just on Setuid programs but other applications that make assumptions 
about /tmp access.

bad bob

-- 
But I do love the work.