shawn%mit-dspg@BRL.ARPA (01/17/84)
It seems to me that there should be some way to make it such that a user program could not read a 'directory file', that his program would use a 'system call' to read the 'next' entry in this directory file if the protection permitted, it seems this would make the file system in general more secure, or did I miss something? Oh, yes, I am aware, that if this was ever done, the 'world' would break, but that's a small price to pay for security, or is it? Yours In Hacking, -- Shawn p.s. Ideas stolen from TOPS-20.
gwyn%brl-vld@sri-unix.UUCP (01/17/84)
From: Doug Gwyn (VLD/VMB) <gwyn@brl-vld> Where have you been? There is no security problem in reading directories. The only real problem is that UNIX directory format is now variable, thanks to Berkeley. To portably and easily access UNIX directories, you should be using the new directory access library routines available via net.sources or my independent implementation (I do not like the Regents of the University of California!) available for the asking (also part of the BRL UNIX System V emulation for 4.2BSD). This directory access library is something that should have been done a long time ago, independently of the question of differing directory formats. I tried several months ago to get the Western Electric development types interested in this issue but I have no idea whether they have plans to provide the library routines with future UNIX releases.
guy@rlgvax.UUCP (Guy Harris) (01/18/84)
<go away, bug!>
It seems to me that there should be some way to make it such that
a user program could not read a 'directory file', that his program
would use a 'system call' to read the 'next' entry in this directory
file if the protection permitted, it seems this would make the file
system in general more secure, or did I miss something? Oh, yes,
I am aware, that if this was ever done, the 'world' would break, but
that's a small price to pay for security, or is it?
First, what do you mean by "secure"? Secure in the sense of "secure against
crashes trashing things", or secure in the sense of "secure against protection
violations"? If the former, reading a directory doesn't write to the disk
(except for setting the directory file's access time which should happen even
in your scheme) so this change contributes nothing. If the latter, UNIX
already can protect the directory as a whole against reading; just turn off
the appropriate "r" bit. If you meant protecting specific directory entries,
what bit would indicate whether the user would be allowed to read that entry
or not?
For that matter, what security holes are created by permitting the user to
read directory entries?
Guy Harris
{seismo,ihnp4,allegra}!rlgvax!guysmk@axiom.UUCP (Steven Kramer) (01/19/84)
I think you're missing something. If you can read the directory
as a whole or name by name, you are obtaining the SAME information.
If protection of the directory disallows reading, you cannot read
anything on either method. (I assume on the name by name system
call basis you will also get the inode number, which makes both
methods eqivalent.) In fact, the opendir(), ... 4.2BSD (compatible)
library routines do EXACTLY what you want, but alas, the protection
is exactly the same on either method.
So, directly, UNIX gives you the `raw' directory file to look at,
and you can build routines around the structure to make your life
easier. That's the UNIX way. (I know by saying things like this
last statement I'll get a rebuttal. For this article, I'll only
take rebuttals from North Dakota [is there one?] -- the rest of you
flame to /dev/null.)
--
--steve kramer
{allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!axiom!smk (UUCP)
linus!axiom!smk@mitre-bedford (MIL)chuqui@nsc.UUCP (01/20/84)
Another reason not to automatically page is is I have something on the
other end of the tty line that is only pretending to be a terminal. If I
try to download through that tty line, I don't want to have to hack up the
downloader to handle stripping '--more--' and sending spaces!
--
--Go ahead- Make my wombat!--
From the house at Pooh Corner: Chuqui (a Silly Old Bear)
{fortune,menlo70}!nsc!chuqui
I wish I had time to explain dimensional trancendentalism
--- Dr. Whofeldman@tymix.UUCP (Steve Feldman) (02/05/84)
Regarding: Side note on Doug's "Regents" remark: I feel it's inconsistent for a group-- like Berkeley or AT&T--to claim to be interested in software portability and then copyright its work. Copyrighting is a far greater impediment to portability than the number of letters you use in variable names. Unfortunately, the people doing the programming are not the ones who make decisions about copyrights and licensing. The CSRG at Berkeley really had no choice about these matters. They have to follow policies set by the University. The same is undoubtedly true of AT&T. (It has been said that the University lawyers would never sign the BSD agreement themselves. I tend to believe it.) Steve Feldman Tymshare (Formerly of the Berkeley CSRG)