Marcus Brinkmann <[EMAIL PROTECTED]> writes: > Now, we have our own temp reaper. And a tmp reaper would be trivial > if you would hack rm to have a "--do-not-follow-translator" option. > But I believe that is not good enough. The reason is that
So my response in the past has been "filesystem traversers need to know about this new feature." You are probably right indeed, however, when you say: > 1) It is unfeasible to change all programs that traverse filesystems, > or just follow untrusted paths. It may not even be possible to > easily find out which programs do that. Moreover, we have to re-program users, not just programs. So even if we could fix every program, we can't fix all their users: > 3) This is the POSIX personality of the Hurd, and people will have > certain expectations about how to be secure. > I have posted a suggestion to fix this a long time ago, but can't find > the mail right now (maybe I never sent it?). The solution would be to > always open nodes with O_NOTRANS, and if the translator bit is set, > there is a user ID check. If the user ID belongs to a trusted set, > which by default is "0-XXX,myself" where 0-XXX is the range of system > user IDs (this would be 0-999 on my system, I think), then the > translator is followed. Otherwise it is not followed, unless the user > explicitely specifies a new flag O_TRANS. Yes, that works; having it done through an environment variable makes it fairly easy for users to overcome it when they want. I'm not sure this is the right fix, but it looks like it would work well. _______________________________________________ Bug-hurd mailing list Bug-hurd@gnu.org http://lists.gnu.org/mailman/listinfo/bug-hurd
