On Sat, 24 Mar 2007, Ron Johnson wrote: > > On the contrary. It makes it so that the only way that someone can get > > to the file is by having cracked the kernel itself. That is, without > > the file descriptor, no other process can get to the data. For example, > > qemu does this. Lots of other programs do this as well for security. > > They open the file, immediately unlink it and then the only access is > > via the file descriptor. > > That reminds me of the Vietnam War philosophy "we had to destroy the > village in order to save the village". It was bad "design" 40 years > ago, it's a bad design now.
No. You destroy the village in order for it not be able to bother you anymore, because you care a lot more about your objectives than the people in the village. And it is *excellent* design to unlink an open file depending on what you want it for. It is the only failure-proof way to make sure temporary files cannot be attacked from outside, and also that they will disappear if the program crashes, exits, or has other problems. You can easily change that to a "unlink on sucessfull exit" thing when running in debug mode, too. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
