On Sat, Sep 07, 2002 at 05:17:35PM +0200, Ingo Molnar wrote:
>
> On Sat, 7 Sep 2002 pwaechtler@mac.com wrote:
>
> > OTOH I can't see a _big_ problem when a process with sufficient
> > permissions can trash the message queues - otherwise I wonder why file
> > permissions are granted "per user" and not "per process".
>
> yes - furthermore, processes from the same user can 'trash' queues anyway,
> via ptrace() or mmaping /proc.
That is correct, but it is not the issue though. The issue is that
completely unrelated processes can spoof/destroy each other's messages.
If a queue is set up with mq_open(name, O_CREAT|O_RDWR, S_IWOTH, &attr),
the process which set it up expects that "others" (processes not owned
by the user or by users in his/her group) will be able to send, and only
send, messages. If shared memory is used, "others" must be able to
update the data structures representing the queue, so they will be able
to do a lot more than just send.
The fundamental problem is that filesystem permissions do not map
cleanly to message queue permissions. Does this make sense? Thanks.
Amos Waterland
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Sep 15 2002 - 22:00:15 EST