On 2001-04-13 23:12:16 +0000, David Wagner wrote:
> richard offer wrote:
> >Because I'm trying to write a well behaved application that doesn't
> >generate more errors than it needs too ?
>
> What do you mean? The canonical code is something like
> if ((fd = open(path, O_RDONLY)) < 0) {
> return NULL; /* open failed */
> }
> /* use fd */
> This is the usual Unix way. You seem to be arguing that apps need to
> be able to write code like this:
> if (allowed_to_open(path, O_RDONLY) < 0) {
> return NULL; /* open failed */
> }
> fd = open(path, O_RDONLY);
> /* use fd */
> I'd argue that the latter is, if anything, *worse* than the former.
> It's more error-prone: What if the open() really fails? It's also
> more dangerous: What about race conditions and TOCTTOU attacks?
I like the Unix model, and agree that you don't need to offer the
ability to check for permissions, if your system is robust enough to
allow applications to operate in a manner other than the "shed my
permission" model. It may occasionally be nice to check first, then
execute (e.g. to avoid consuming resources temporarily), but since you
always have the possibility of the system changing between your check
and actual allocation/use/whatever, it's not a win in reality.
If you require applications to start off with greater permissions and
then release them, you can end up with a situation where they are unable
to return to their original state and act appropriately.
Shane
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 16:32:46 PDT