> This system call embodies a fairly fundamental shift away from the > Unix model that object permissions are checked when you get a handle > to an object -- not when you use that handle.
Actually, I think that's true only of file descriptors. I'm having trouble thinking of any other case where permissions are checked at handle create rather than at use. For example, if you chdir(), then you still need search access when you do lookups (in this case access is checked at both times). When you read/write a tty, SIGTTIN/SIGTTOU checking takes place with respect to process groups at time of read/write, not time of open. kill(2) checks UIDs at time of calling kill(), not time of your getting the PID of the target. To name just three examples. Indeed, I think file descriptors are the odd ones out here, not the other way around. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B