Followup to: <[EMAIL PROTECTED]>
By author: Pavel Roskin <[EMAIL PROTECTED]>
In newsgroup: linux.dev.fs.devel
>
> Hello, David!
>
> Thank you very much for the informative reply!
>
> > Currently there is now way to specify the permissions of the ramfs
> > root directory at mount time: it's always root.root, 0755. Somebody
> > did post a patch which added this. However, I'm not sure it's worth
> > addiding this in the kernel, rather than just putting a chmod command
> > in the startup scripts. Alternatively that functionality could be put
> > into mount(8).
>
> I did more research on the topic and now I'm quite confident that this
> option should be in the kernel for consistency with devpts.
>
I would disagree with that. The reason devpts (and msdos, and quite a
few more) has "mode" is that they create additional device entries on
the fly, and need modes for *those*. In fact, in the case of devpts,
this mode isn't even used for the root.
In the case of ramfs, this is a single node, and a single chown/chroot
system call should take care of that. HOWEVER, this assumes that
there isn't a window of opportunity for an attacker.
Therefore, it is my (firm!) opinion that the permissions should start
out as mode 0700 with the mounting uid and gid as the owner. An
alternative would be to have mode 0777 modified by the mounting umask.
-hpa
--
<[EMAIL PROTECTED]> at work, <[EMAIL PROTECTED]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to [EMAIL PROTECTED]
