Re: [Plash] fchmod not working?

[Thomas Leonard]

2008/4/29 Mark Seaborn <address@hidden>:
> Thomas Leonard <address@hidden> wrote:
>  > unlink("HelloWorld/main")               = 0
>  > open("HelloWorld/main", O_RDWR|O_CREAT|O_TRUNC, 0666) = 12
>  > write(12, "#!/bin/sh\necho Hello World\n", 27) = 27
>  > fchmod(12, 0100755)                     = 0
>
>  This is a tricky one.  The cause is simple: fchmod() is one of those
>  operations for which file descriptors do not behave like capabilities.
>  fchmod() only works if the process is running under the UID that owns
>  the inode.  So fchmod() has never worked under Plash.

[...]

Ah. I hadn't appreciated the complexity behind this! Thanks for the
explanation.

>  I can think of two ways to support fchmod().
>
>  1. The server process could provide a generic fchmod() operation that
>  takes an FD and a mode and invokes fchmod() under its own UID.  This
>  would be very coarse-grained.  This limits our ability to restrict
>  chmod() operations on files that we have granted to sandboxed
>  processes.  fchmod() does not normally look at the FD's open flags;
>  you can use it on read-only FDs.  We would probably have to check the
>  open flags using fcntl() (F_GETFL).

That sounds reasonable. If I give a program write access to a file, then I'm
probably OK with it being able to change the permissions too, and if I don't
want a program to write to a file then I probably don't want the permissions
changed either. Anything else would be too confusing!

>  I was planning on doing a release of Plash soon.  Would you object if
>  I made a release before trying to fix this?  It is not a trivial thing
>  to fix.  It looks like tar still works: it uses open() to set the file
>  mode instead of fchmod().

OK. I think I'll disable Zero Install's Plash support for now as it
hasn't worked
for some time. I'll re-enable it once everything is working again...

Thanks!


-- 
Dr Thomas Leonard       http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1