Carl Fredrik Hammar, le Fri 16 Apr 2010 11:52:04 +0200, a écrit :
> > 2. If yes on question 1, would this be insecure? For example, if
> > the user overrides a library used by a setuid program? (Then
> > again, if the program is running as e.g. root by setuid, it
> > wouldn't [at least shouldn't] see the files as the user does)
>
> Actually, I'm not entirely sure.
I'd prefer somebody else checks it too, but I believe it works this way:
diskfs_S_file_exec calles fshelp_exec_reauth, which returns secure==1
when the ID changes, which makes file_exec add EXEC_SECURE. In exec's
do_exec(), one can read
if (secure || (defaults
&& boot->portarray[INIT_PORT_CRDIR] == MACH_PORT_NULL))
use (INIT_PORT_CRDIR, std_ports[INIT_PORT_CRDIR], 1, 0);
which resets the root port to the hurd (or sub-hurd) root.
> I know that the setuid program gets
> its credentials from the translator the executable is in, but I don't
> remember how / is handled or if linking is handled specially (and I'm
> too lazy to investigate further ATM).
Linking is done by the executed program itself, thus after the CRDIR
initialization above.
> > 4. Is it possible for a translator to provide different views of
> > the node for different users? For example, could each user have
> > their own list of packages they want installed and the HPM
> > translator would use ref-counting to install packages with
> > ref-count > 0, and/or perhaps even make different packages
> > appear installed for different users?
>
> This is actually possible, as the translator knows the user of the
> client so it can grant or withhold access. But I suspect that using
> it to provide different services to different users would violate many
> assumptions made by clients.
Could you try to find examples? Usually, applications are not meant to
be run under several different identities.
Samuel
