Re: What operations in store_parsed_open() need the privilege?

[olafBuddenhagen]

Hi,

On Thu, Aug 28, 2008 at 11:48:13PM +0200, Da Zheng wrote:
> Thomas Bushnell BSG wrote:
>> On Thu, 2008-08-28 at 08:42 +0200, Neal H. Walfield wrote:

>>> I don't understand why boot should somehow override the user in this
>>> regard.  It is perfectly legitimate, I think, to give a non-root
>>> user access to, e.g., /dev/hda1.  In that case, why should boot not
>>> even try to open the device?
>>
>> Yes, I think of course you're right.
>>   
> If the non-user can access /dev/hda1, it means he can operate the hda1
> device directly without the help of the file system.

Yes of course. That's what the subhurd will do -- it has it's own file
system.

Obviously, if the user is to run a subhurd, he needs access privileges
for everything that the subhurd will use...

The whole point is that we want to allow the user to run his own custom
system, having full control over it -- and thus over all resources the
subhurd has access to. This means we can't give the subhurd access to
anything we don't want the user to access.

It would be possible of course to create some suid-like mechanism,
allowing the user to launch pre-defined safe environments, which could
have additional privileges, but would be known not to "leak" them to the
user. However, I don't think this is a terribly interesting use case...
Or at least it's not the one I'm interested in :-)

> Is the user really allowed to do it? In Linux or other Unix, this kind
> of operation is forbidden, I think.

Not at all -- root can always give some user full access to a disk (or
partition) device.

-antrik-