On Mon, Nov 26, 2012 at 10:18:42AM +0100, Martin Husemann wrote: > Does anyone know of a setup that uses a process outside of a chroot doing > descriptor passing to a chrooted process?
Yes. I can point to the same example as Thor has described, but I think that it is easy to cook up numerous useful examples. > I wonder if we should disallow that completely (i.e. fail the anxiliary > data send if sender and recipient have different p_cwdi->cwdi_rdir)? This idea of failing the ancillary data transmission seems unnecessarily inflexible to me. I think that if process A has a "send descriptors" privilege, and process B has a "receive descriptors" privilege, and there is some communications channel from A to B, then A should be able to send a descriptor to B regardless of the origin or properties of that descriptor. B's privileges may not be sufficient to use certain "methods" of the descriptor---for example, to fexecve() the descriptor---but I think that is ok, because B's entire purpose may be to send the descriptor to a third process that can use the descriptor. Dave -- David Young dyo...@pobox.com Urbana, IL (217) 721-9981
