In article <20121125152520.ga17...@panix.com>, Thor Lancelot Simon <t...@panix.com> wrote: >On Sat, Nov 24, 2012 at 06:53:16PM +0100, Emmanuel Dreyfus wrote: >> Let's try to move forward, and I will start will a sum up of what I >> understand from the standard. It would be nice if we could at least >> reach consensus on standard interpretation. > >I think your interpretation of the standard is correct. The >particularly problematic part is: > >> O_EXEC is mutually exclusive with O_RDONLY, O_WRONLY, or O_RDWR > >This -- along with the basic shift from checking permissions when a handle >to an object is obtained to checking them when it's used -- is exemplary of >the poor design that seems to have gone into this set of "features". > >> Does everyone agrees on this interpretation? If we do, next steps are >> - describe threats this introduce to chrooted processes >> - decide if they are acceptable and if they are not, propose mitigation. > >I think you left out part of the solution space: > > - simply don't include this poorly-designed functionality in NetBSD.
Unless you want to change O_RDONLY to be non-zero and version all the syscalls that use it :-) christos