On Tue, Mar 10, 2015 at 04:13:54PM +0100, Ed Schouten wrote: > Hi Joerg, > > 2015-03-10 14:07 GMT+01:00 Joerg Sonnenberger <[email protected]>: > > This doesn't make sense to me. All those functions can be used with both > > absolute and relative path names. So why do you force use of *at(), when > > arguments relative to CWD already fall into the restricted category? > > The idea behind Capsicum > (http://www.cl.cam.ac.uk/research/security/capsicum/) is that once > you've entered capabilities mode, the non-at() functions are disabled, > while the at()-variants are restricted to relative paths only, not > allowing you to escape the directory corresponding with that file > descriptor. > > For example, you could implement a simple web server that has a single > file descriptor for every virtualhost root directory. When in > capabilities mode, the web server is not able to access files stored > outside of the root directories, as it does not possess a file > descriptor pointing to another directory. > > Processes using Capsicum do not have a working directory. AT_FDCWD can > no longer be used.
Sounds like a stupid and artifical restriction, but ok... Joerg _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
