Hacker News new | past | comments | ask | show | jobs | submit login

On the other hand, having a single abstraction / entry point makes it easier to implement generic sanity checks. If you add a check for that kind of problem at the right layer, it will cover other / future interfaces. On the other hand, if you use ad-hoc system calls, any mitigation or fix will typically only cover that one specific call.

Unfortunately, generic sanity checks are often not enough. You immediately run into problems where very file-specific concepts (owner, RWX permissions) aren't sufficient to handle certain types of represented-as-files objects (such as procfs files, where privileges with regard to a process aren't accurately described through Unix DAC permissions).

And then you get into some of the really hairy issues -- any user can trick a privileged program into writing or reading from any file by simply spawning a setuid program with stdio set to the file they wish to operate on. Thus, any interface which is administrative is simply unsafe to expose through the standard open/read/write interfaces -- which means that you have to come up with some alternative interface anyway.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact