* Alexander Viro (viro@math.psu.edu) wrote:
> On Thu, 31 Oct 2002, Stephen Wille Padnos wrote:
> > Unless I'm missing something, that only works if all the users need
> > *exactly* the same permissions to all files, which isn't a good assumption.
>
> That's the point. In practice shared writable access to a directory can be
> easily elevated to full control of each others' accounts, since most of
> userland code is written in implicit assumption that nothing bad happens with
> directory structure under it. And there is nothing kernel can do about that -
> attacker does action you had explicitly allowed and your program goes bonkers
> since it can't cope with that. Mechanism used to allow that action doesn't
> enter the picture - be it ACLs, groups or something else.
So you're not really arguing against ACLs, you're complaining that
userspace is broken when there's shared write access. That's fine,
userspace should be fixed, inclusion of ACLs into the kernel shouldn't
be denied because of this. ACLs should be optional, of course, and if
you want them some really noisy warnings about the problems of shared
writeable area with current userspace tools. Of course, that same
warning should probably be included in 'groupadd'.
Stephen
This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:55 EST