Hi Joerg, 2015-03-10 14:07 GMT+01:00 Joerg Sonnenberger <[email protected]>: > This doesn't make sense to me. All those functions can be used with both > absolute and relative path names. So why do you force use of *at(), when > arguments relative to CWD already fall into the restricted category?
The idea behind Capsicum (http://www.cl.cam.ac.uk/research/security/capsicum/) is that once you've entered capabilities mode, the non-at() functions are disabled, while the at()-variants are restricted to relative paths only, not allowing you to escape the directory corresponding with that file descriptor. For example, you could implement a simple web server that has a single file descriptor for every virtualhost root directory. When in capabilities mode, the web server is not able to access files stored outside of the root directories, as it does not possess a file descriptor pointing to another directory. Processes using Capsicum do not have a working directory. AT_FDCWD can no longer be used. -- Ed Schouten <[email protected]> _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
