> One thing which hasn't yet been mentioned is that file descriptors sent
> across Unix domain sockets and SCM_CREDENTIALS socket control messages
> actually provide a complete key-based authentication.
[...]
> Further,
> inheritance also "just works" since they're file descriptors.
I can see that file descriptors can be used as opaque capabilities in the
way you describe, but it's not clear that they are quite what we're
looking for. The desired mechanism should serve to identify requests
coming from the VFS layer. We can't rely on the user-level code to
present a particular file descriptor as a capability. Scanning the
process's file table for an authentication descriptor doesn't seem very
appealing. Furthermore, isn't it possible that there might be programs
out there that blithely close file descriptors they don't recognize--which
could cause them to lose authentication in hard-to-understand ways?
Michael
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu