From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f182.google.com ([209.85.223.182]:39318 "EHLO mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728103AbeGRS6f (ORCPT ); Wed, 18 Jul 2018 14:58:35 -0400 MIME-Version: 1.0 References: <20180711161540.GS30522@ZenIV.linux.org.uk> <20180712124326.GA19272@ZenIV.linux.org.uk> <20180712155337.GU30522@ZenIV.linux.org.uk> <20180718025636.GA26175@ZenIV.linux.org.uk> <20180718132955.2bf185b7@canb.auug.org.au> <20180718124340.GS30522@ZenIV.linux.org.uk> <20180718181252.GU30522@ZenIV.linux.org.uk> In-Reply-To: <20180718181252.GU30522@ZenIV.linux.org.uk> From: Linus Torvalds Date: Wed, 18 Jul 2018 11:19:18 -0700 Message-ID: Subject: Re: [RFC] call_with_creds() To: Al Viro Cc: Miklos Szeredi , Stephen Rothwell , linux-fsdevel , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Wed, Jul 18, 2018 at 11:13 AM Al Viro wrote: > > Linus, David - do you have any objections to the above? I damn well do. I explained earlier why it's wrong and fragile, and why it can just cause the *reverse* security problem if you do it wrong. So now you take a subtle bug, and make it even more subtle, and encourage people to do this known-broken model of using creds at IO time. No. Some debugging option to just clear current->creds entirely and catch mis-uses, sure. But saying "we have shit buggy garbage in random write functions, so we'll just paper over it"? No. Linus