Re: about GNU Hurd

[Richard Stallman]

       One issue Marcus pointed out at some point is the infamous firmlink
       problem, i.e. that a translator set by a different user can lead to
       undesired behaviour. (If the user has a symlink to '/' in /tmp or his
       home directory for example, an rm -r on it launched by root would
       erase the whole file system.)

       This is probably a bug in the semantics of firmlink (it doesn't
       behave as links are supposed to behave), and/or rm just doesn't know
       how to handle links to directories correctly.

I talked with Marcus at length about this, and I don't think we
found a solution that really works.

       While Marcus was quick to conclude that translators are generally
       problematic in a global filesystem, I believe this is a pretty
       specific issue with the name resolution mechanism: The real problem
       here is that the translator hands out an unauthenticated object
       handle (capability), which the calling program subsequently
       authenticates against it's *own* ID, i.e. the translator is
       effectively able to hand out a capability conveying more permissions
       than the user who created the translator has.

I think you are right that firmlinks should be limited by the ID of
their creator.  But I don't think that fully solves the problem.

Suppose you yourself create a firmlink from ~/foo/bar to ~.  And then
you forget about it.  And then you do rm -rf ~/foo.  The firmlink's
creator will be you, and you do have access write your home dir, so
this will destroy its contents.  mv ~/foo /media/usb would also cause
trouble, and so might some other programs that do recursive operations
on subtrees.

So we still need a solution, and I don't know if there is one.

How about if those who are interested talk with Marcus about the
issue, then work together to look for possible solutions.  Then post
them here or in a suitable Hurd discussion site.