Received: with ECARTIS (v1.0.0; list netdev); Wed, 23 Jul 2003 10:24:51 -0700 (PDT)
Received: from linux.research.att.com (H-135-207-24-16.research.att.com [135.207.24.16])
	by oss.sgi.com (8.12.9/8.12.9) with SMTP id h6NHOgFl006012
	for <netdev@oss.sgi.com>; Wed, 23 Jul 2003 10:24:43 -0700
Received: from raptor.research.att.com (raptor.research.att.com [135.207.23.32])
	by linux.research.att.com (8.12.8/8.12.8) with ESMTP id h6NHfjJh028191;
	Wed, 23 Jul 2003 13:41:45 -0400
Received: (from gsf@localhost)
	by raptor.research.att.com (SGI-8.9.3p2/8.8.7) id NAA90957;
	Wed, 23 Jul 2003 13:24:36 -0400 (EDT)
Date: Wed, 23 Jul 2003 13:24:36 -0400 (EDT)
From: Glenn Fowler <gsf@research.att.com>
Message-Id: <200307231724.NAA90957@raptor.research.att.com>
Organization: AT&T Labs Research
X-Mailer: mailx (AT&T/BSD) 9.9 2003-01-17
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
References: <200307231428.KAA15254@raptor.research.att.com>  <20030723074615.25eea776.davem@redhat.com>  <200307231656.MAA69129@raptor.research.att.com> <20030723100043.18d5b025.davem@redhat.com>
To: davem@redhat.com, gsf@research.att.com
Subject: Re: kernel bug in socketpair()
Cc: dgk@research.att.com, linux-kernel@vger.kernel.org, netdev@oss.sgi.com
X-archive-position: 4254
X-ecartis-version: Ecartis v1.0.0
Sender: netdev-bounce@oss.sgi.com
Errors-to: netdev-bounce@oss.sgi.com
X-original-sender: gsf@research.att.com
Precedence: bulk
X-list: netdev


On Wed, 23 Jul 2003 10:00:43 -0700 David S. Miller wrote:
> On Wed, 23 Jul 2003 12:56:12 -0400 (EDT)
> Glenn Fowler <gsf@research.att.com> wrote:

> > the problem is that linux took an implementation shortcut by symlinking
> > 	/dev/fd/N -> /proc/self/fd/N
> > and by the time the kernel sees /proc/self/fd/N the "self"-ness is apparently
> > lost, and it is forced to do the security checks

> None of this is true.  If you open /proc/self/fd/N directly the problem
> is still there.

you missed the point that the original open() call is on /dev/fd/N,
not /proc/PID/fd/N; /proc/PID/fd/N only comes into play because the
linux implementation foists it on the user

> > if the /proc fd open code has access to the original /proc/PID/fd/N path
> > then it can do dup(atoi(N)) when the PID is the current process without
> > affecting security

> If we're talking about the current process, there is no use in using
> /proc/*/fd/N to open a file descriptor in the first place, you can
> simply call open(N,...)

no, in the notation above N is the fd number "so you could simply call dup(N)"

here is one reason why /dev/fd/N is useful:

/dev/fd/N is the underlying mechanism for implementing the bash and ksh

	cmd-1 <(cmd-2 ...) ... <(cmd-n ...)

each <(cmd-i ...) is converted to a pipe() with the write side getting the
output of cmd-i (and marked close on exec) and the read side *not* marked
close on exec; cmd-1 is then executed as

	cmd-1 /dev/fd/PIPE-READ-2 ... /dev/fd/PIPE-READ-n

where PIPE-READ-i is the fd number of the read side of the pipe for cmd-i