On Thu, Jun 22, 2006 at 08:36:05PM +0200, Nicolai Johannes wrote: > To the question whether we should care about being able to write files at all: > > I am not sure whether the following access checks are done by the > file system layer, but what is with files in /dev/, named pipes and > Unix Domain Sockets? Also for lockfiles, that may be removed by other > users, writing file would make sense.
A daemon which needs to open these things could keep the WRITE privilege in it's permitted set, and only set it while it needed it. I'd imagine that for most daemons, you could simply drop WRITE entirely, because you never need to do a open(..., O_WRITE) afterwards. As with most basic privileges, you need to be careful if you drop it. This is not a surprise. Cheers, - jonathan > -----Urspr?ngliche Nachricht----- > Von: [EMAIL PROTECTED] im Auftrag von [EMAIL PROTECTED] > Gesendet: Do 22.06.2006 20:23 > An: Nicolas Williams > Cc: Jonathan Adams; Nicolai Johannes; [EMAIL PROTECTED] > Betreff: Re: AW: AW: [zfs-discuss] Proposal for new basic privileges related > with filesystem access checks > > > >Thinking about PID re-use, yes, but I'm not trying to design the > >specific details -- I think a set of items to cache that provides strong > >security guarantees can be found. The interface would remain > >unpredictable in other ways, but that seems like a small price to pay > >considering the use cases. > > I think that this "cache design" really points to deficiencies in > the underlying architecture. If you have to add workarounds for > certain parts of the behaviour, you generally do better reconsidering > the initial design. And to question whether we actually care about > being able to write files at all. > > Casper > > _______________________________________________ > zfs-discuss mailing list > zfs-discuss@opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss -- Jonathan Adams, Solaris Kernel Development _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
