On Friday 07 June 2013 18:55:46 Lennart Poettering wrote:

> > > On Fri, 07.06.13 12:09, Steve Grubb (sgrubb@redhat.com) wrote:

> > > > > > Maybe the uid can be encoded in the name so that wrong uid's are

> > > > > > skipped?

> User "simo" creates /dev/shm/1000/ even though 1000 is the UID of user

> "lennart". Lennart can never start PA again, ever. And can't do anything

> about it, because "simo" is in control, and /dev/shm is sticky.

Why the UID has to be encoded in the name?

* The application can simply issue an lstat() before open() and skip

files with wrong uid's.

* Obviously, an attacker could try and trigger some race condition on

the name, but than it's OK for the audit to shout about it.

What am I missing?

--

Oron Peled Voice: +972-4-8228492

oron@actcom.co.il http://users.actcom.co.il/~oron

You know, someone once told me that New York has more lawyers than people.

-- Warren Buffett, Fortune, 1999