Re: [RFC] call_with_creds()

From: Linus Torvalds
Date: Wed Jul 18 2018 - 14:19:34 EST

Next message: Jakub Kicinski: "Re: [PATCH 2/2] tools/bpftool: Fix segfault case regarding 'pin' arguments"
Previous message: Shilpasri G Bhat: "[PATCH v6 0/2] hwmon/powernv: Add attributes to enable/disable sensors"
In reply to: Al Viro: "[RFC] call_with_creds()"
Next in thread: Al Viro: "Re: [RFC] call_with_creds()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 18, 2018 at 11:13 AM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> Linus, David - do you have any objections to the above?

I damn well do.

I explained earlier why it's wrong and fragile, and why it can just
cause the *reverse* security problem if you do it wrong. So now you
take a subtle bug, and make it even more subtle, and encourage people
to do this known-broken model of using creds at IO time.

No.

Some debugging option to just clear current->creds entirely and catch
mis-uses, sure. But saying "we have shit buggy garbage in random write
functions, so we'll just paper over it"? No.

Linus

Next message: Jakub Kicinski: "Re: [PATCH 2/2] tools/bpftool: Fix segfault case regarding 'pin' arguments"
Previous message: Shilpasri G Bhat: "[PATCH v6 0/2] hwmon/powernv: Add attributes to enable/disable sensors"
In reply to: Al Viro: "[RFC] call_with_creds()"
Next in thread: Al Viro: "Re: [RFC] call_with_creds()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]