> Currently, npppd's PRIVSEP_OPEN message (abstracted as priv_open()) > accepts arbitrary open() flags and passes a mode argument. That > seems...unwise. > > In particular, it never passes O_CREAT, so the mode argument isn't needed. > Indeed, the only open 'flags' it needs are O_RDONLY and O_RDWR. If we > also permit O_NONBLOCK then the caller can skip using ioctl(FIONBIO) too. > > So: > * kill the 'mode' argument to PRIVSEP_OPEN and priv_open() > * fail a PRIVSEP_OPEN call if it's passed any flags other than > O_ACCMODE or O_NONBLOCK > * paranoia: mask O_CREAT when calling open() with only two arguments > * instead of using ioctl(FIONBIO) after the fact, pass O_NONBLOCK to > priv_open() > > I don't use npppd, so I only know this compiles and haven't actually > tested it in any way.
Looks like a good start. I don't know the code either, but it is probably better if privsep's had more narrow task-specific operations. Like open-specific-file-for-read, and open log-over-there. Privsep operations should be tightly specified, not very generic. Then the child can't open anything. It feels like this should be PRIVSEP_GET_NEW_TUN (with the parent selecting which one)