Re: [VULN 4/4] Process auth man-in-the-middle

To: William ML Leslie <william.leslie.ttg@gmail.com>
Cc: Sergey Bugaev <bugaevc@gmail.com>, bug-hurd <bug-hurd@gnu.org>, Mailing List - Debian GNU/Hurd <debian-hurd@lists.debian.org>
Subject: Re: [VULN 4/4] Process auth man-in-the-middle
From: Samuel Thibault <samuel.thibault@gnu.org>
Date: Fri, 5 Nov 2021 11:40:52 +0100
Message-id: <[🔎] 20211105104052.gjihxflusnajggzd@begin>
Mail-followup-to: William ML Leslie <william.leslie.ttg@gmail.com>, Sergey Bugaev <bugaevc@gmail.com>, bug-hurd <bug-hurd@gnu.org>, Mailing List - Debian GNU/Hurd <debian-hurd@lists.debian.org>
In-reply-to: <[🔎] CAHgd1hFJb-OyXjskCCYP-KnDXzPm6_4V2TiGM+HU-1DKeFWrLQ@mail.gmail.com>
References: <[🔎] 20211102163121.415934-1-bugaevc@gmail.com> <[🔎] 20211102163121.415934-5-bugaevc@gmail.com> <[🔎] CAHgd1hFJb-OyXjskCCYP-KnDXzPm6_4V2TiGM+HU-1DKeFWrLQ@mail.gmail.com>

William ML Leslie, le ven. 05 nov. 2021 21:18:50 +1100, a ecrit:
> > which makes the root filesystem reauthenticate all of the
> > processes file descriptors.
> 
> It seems to eliminate a rather convenient method of delegation; a
> process opening a descriptor, forking and executing a child, and
> dropping privileges, while retaining access to that one resource.

reauthenticating doesn't mean closing. File permissions for open are
checked at the open step, not later on. But then there are other things
than just opening a file, such as starting a translator, which we don't
necessarily want to let the unprivileged-with-one-opened-file do.

Samuel

Reply to:

Follow-Ups:
- Re: [VULN 4/4] Process auth man-in-the-middle
  - From: William ML Leslie <william.leslie.ttg@gmail.com>
- Re: [VULN 4/4] Process auth man-in-the-middle
  - From: Sergey Bugaev <bugaevc@gmail.com>

References:
- [VULN 0/4] Hurd vulnerability details
  - From: Sergey Bugaev <bugaevc@gmail.com>
- [VULN 4/4] Process auth man-in-the-middle
  - From: Sergey Bugaev <bugaevc@gmail.com>
- Re: [VULN 4/4] Process auth man-in-the-middle
  - From: William ML Leslie <william.leslie.ttg@gmail.com>

Prev by Date: Re: [VULN 4/4] Process auth man-in-the-middle
Next by Date: Re: [VULN 4/4] Process auth man-in-the-middle
Previous by thread: Re: [VULN 4/4] Process auth man-in-the-middle
Next by thread: Re: [VULN 4/4] Process auth man-in-the-middle
Index(es):
- Date
- Thread