Re: Many questions about translators

[Samuel Thibault]

Carl Fredrik Hammar, le Fri 16 Apr 2010 11:52:04 +0200, a écrit :
> >      2. If yes on question 1, would this be insecure? For example, if
> >         the user overrides a library used by a setuid program? (Then
> >         again, if the program is running as e.g. root by setuid, it
> >         wouldn't [at least shouldn't] see the files as the user does)
> 
> Actually, I'm not entirely sure.

I'd prefer somebody else checks it too, but I believe it works this way:

diskfs_S_file_exec calles fshelp_exec_reauth, which returns secure==1
when the ID changes, which makes file_exec add EXEC_SECURE. In exec's
do_exec(), one can read

    if (secure || (defaults
                   && boot->portarray[INIT_PORT_CRDIR] == MACH_PORT_NULL))
      use (INIT_PORT_CRDIR, std_ports[INIT_PORT_CRDIR], 1, 0);

which resets the root port to the hurd (or sub-hurd) root.

> I know that the setuid program gets
> its credentials from the translator the executable is in, but I don't
> remember how / is handled or if linking is handled specially (and I'm
> too lazy to investigate further ATM).

Linking is done by the executed program itself, thus after the CRDIR
initialization above.

> >      4. Is it possible for a translator to provide different views of
> >         the node for different users? For example, could each user have
> >         their own list of packages they want installed and the HPM
> >         translator would use ref-counting to install packages with
> >         ref-count > 0, and/or perhaps even make different packages
> >         appear installed for different users?
> 
> This is actually possible, as the translator knows the user of the
> client so it can grant or withhold access.  But I suspect that using
> it to provide different services to different users would violate many
> assumptions made by clients.

Could you try to find examples?  Usually, applications are not meant to
be run under several different identities.

Samuel