Carl Fredrik Hammar, le Fri 16 Apr 2010 15:07:22 +0200, a écrit : > On Fri, Apr 16, 2010 at 01:59:16PM +0200, Samuel Thibault wrote: > > Carl Fredrik Hammar, le Fri 16 Apr 2010 11:52:04 +0200, a écrit : > > > > 2. If yes on question 1, would this be insecure? For example, if > > > > the user overrides a library used by a setuid program? (Then > > > > again, if the program is running as e.g. root by setuid, it > > > > wouldn't [at least shouldn't] see the files as the user does) > > > > > > Actually, I'm not entirely sure. > > > > I'd prefer somebody else checks it too, but I believe it works this way: > > > > diskfs_S_file_exec calles fshelp_exec_reauth, which returns secure==1 > > when the ID changes, which makes file_exec add EXEC_SECURE. In exec's > > do_exec(), one can read > > > > if (secure || (defaults > > && boot->portarray[INIT_PORT_CRDIR] == MACH_PORT_NULL)) > > use (INIT_PORT_CRDIR, std_ports[INIT_PORT_CRDIR], 1, 0); > > > > which resets the root port to the hurd (or sub-hurd) root. > > Ah, this rings a bell. I'm a bit surprised that it gets the root directory > from exec and not the translator though.
That could have been useful in some cases maybe, yes. BTW, this is why running a setuid program in a chroot escapes the chroot. > > > > 4. Is it possible for a translator to provide different views of > > > > the node for different users? For example, could each user have > > > > their own list of packages they want installed and the HPM > > > > translator would use ref-counting to install packages with > > > > ref-count > 0, and/or perhaps even make different packages > > > > appear installed for different users? > > > > > > This is actually possible, as the translator knows the user of the > > > client so it can grant or withhold access. But I suspect that using > > > it to provide different services to different users would violate many > > > assumptions made by clients. > > > > Could you try to find examples? Usually, applications are not meant to > > be run under several different identities. > > Not simultaneously, but applications can change their identity midway > with setuid(). That's what I had in mind yes, but I'm still wondering :) Samuel
