[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sun, 12 Oct 2003 15:33:22 +0200
I had another look at io_identity. It seems to me to be a rather bogus
concept. Why not just compare the fsid and inode number of the I/O object?
Sure, it's not always easy to make sure that those are unique (in
particular, the inode number) in all servers, but it's a nice and simple
Security can not be the reason. What stops a malicious server from giving
out a send right to the I/O identity port of _another_ server. This allows
any server to pretend to provide the same I/O object as any other server.
Is this intentional, or an oversight?
io_identity is not widely used. It's used in fakeroot, and in getcwd.c of
glibc for canonicalization. I am unsure about security implications in the
current implementation. As long as you stay away from untrusted servers,
you are fine, if you use them, you are screwed anyway.
On L4, you always know who provides a given capability, as you know the
server thread ID implementing it. So, you can do secure numerical
comparison. If the purpose is to allow faking other I/O objects, then
using capabilities might be necessary (to ensure that there is always an
active reference to the I/O object - if an I/O identity port constitutes an
active reference. However, the current implementation maps inode numbers to
I/O ports, so numerical comparison should be good enough).
`Rhubarb is no Egyptian god.' GNU http://www.gnu.org address@hidden
Marcus Brinkmann The Hurd http://www.gnu.org/software/hurd/
Marcus Brinkmann <=