On Fri, Apr 16, 2010 at 01:59:16PM +0200, Samuel Thibault wrote: > Carl Fredrik Hammar, le Fri 16 Apr 2010 11:52:04 +0200, a écrit : > > > 2. If yes on question 1, would this be insecure? For example, if > > > the user overrides a library used by a setuid program? (Then > > > again, if the program is running as e.g. root by setuid, it > > > wouldn't [at least shouldn't] see the files as the user does) > > > > Actually, I'm not entirely sure. > > I'd prefer somebody else checks it too, but I believe it works this way: > > diskfs_S_file_exec calles fshelp_exec_reauth, which returns secure==1 > when the ID changes, which makes file_exec add EXEC_SECURE. In exec's > do_exec(), one can read > > if (secure || (defaults > && boot->portarray[INIT_PORT_CRDIR] == MACH_PORT_NULL)) > use (INIT_PORT_CRDIR, std_ports[INIT_PORT_CRDIR], 1, 0); > > which resets the root port to the hurd (or sub-hurd) root.
Ah, this rings a bell. I'm a bit surprised that it gets the root directory from exec and not the translator though. > > > 4. Is it possible for a translator to provide different views of > > > the node for different users? For example, could each user have > > > their own list of packages they want installed and the HPM > > > translator would use ref-counting to install packages with > > > ref-count > 0, and/or perhaps even make different packages > > > appear installed for different users? > > > > This is actually possible, as the translator knows the user of the > > client so it can grant or withhold access. But I suspect that using > > it to provide different services to different users would violate many > > assumptions made by clients. > > Could you try to find examples? Usually, applications are not meant to > be run under several different identities. Not simultaneously, but applications can change their identity midway with setuid(). I wouldn't really know where to look for examples, sorry. Perhaps I'm overreacting though, as having chroots for each user could just as well cause confusion. Regards, Fredrik
