() l...@gnu.org (Ludovic Courtès)
() Wed, 21 Apr 2010 10:49:05 +0200
I think open file ports shouldn’t grant any authority beyond
access to the open file. Just like an open file descriptor
doesn’t convey any authority beyond access to the underlying
file (if we omit ‘..’ lookups on a directory file descriptor
with openat(3)).
I agree (and was about to cite openat(3) et al -- glad you
beat me to it!), but that's neither here nor there:
Whether or not the authority associated with the containing
directory is user-visible is a design detail of the directory
object. (More information need not imply more access.)
That is, if a file port supports ‘file-port-directory’, then how
to use/restrict the resulting object is left up to higher layers,
where it belongs.
Reifying directories is good for both security and efficiency.
Why chase symlinks and {l}stat(2) more than necessary?
thi
