James Buchanan <[EMAIL PROTECTED]> writes:
> This requires that glibc always does a secure lookup, and then inspects
> the node to decide if it wants to resolve the translator or not. This
> adds a small cost to all cross-translator lookups, but cross-translator
> lookups are expensive already anyway.
I don't remember if this has been discussed already, but anyway: This
sounds like a race condition. I think the right thing to do is to
first open the node (using O_NOTRANS), examine it. If the translator
is to be followed, the node should not be opened again, instead one
needs a special function that follows the translator setting for the
opened node.
There's no such function in the current file interface, is it? One
design might be to have a general "reopen" mechanism that opens a file
with a new set of openflags (not all variants need to work, for
example opening a translater file without O_NOTRANS and later
"reopening" it with O_NOTRANS, which could mean to get the underlying
file, might not work).
For security reasons, this should probably not be enabled by default
(if you open a file read-only, and pass the handle to some other
process, you probably don't want the other process to be able to
reopen the file in read-write mode, or reopen it with a different
value for the O_NOTRANS flag). But this could just be one more open
flag, say O_ALLOW_REOPEN.
Then glibc could do soemthing like
f = open(name, mode | O_NOTRANS | O_ALLOW_REOPEN);
fstat(f, &st);
if (translator that should be followed)
f = reopen(f, mode) /* Follow translator */
else
f = reopen(f, mode | O_NOTRANS) /* Disable reopen */
Regards,
/Niels
_______________________________________________
Bug-hurd mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-hurd
