Should a user be able to revoke a file descriptor opened by a root
processes in the first place?
No, revoke(2) *must* be reserved for root. There's simply far too much
mischief that could be done otherwise. And although people have said it
already, revoke(2) does not simply close the file descriptors. It must
instead invalidate the file descriptor so that read, write's, ioctl's,
etc. return errors or EOF's. Otherwise, a lot of damage can result.
Consider:
Process 1: Process 2
Opens /etc/file1, kernel returns fd 4
Starts writing to fd 4
Calls revoke on /etc/file1
badly implemented patch
closes fd 4 in process 1
Opens /etc/precious_data, kernel returns fd 4
Continues writing to file descriptor which
process 1 thinks is /etc/file1,
but instead trashes /etc/precious_data
instead.
Finally, to whoever implements revoke: Note that it would be nice if the
tty hangup code and the vhangup system call can be implemented in terms
of the new revoke code. This would simplify the kernel a bit, since
there's no reason why the tty hangup code needs to do and the revoke()
system call needs to do shouldn't sure code paths.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/