Misunderstanding UNIX security

I just got a comment on my posting on my entry about path based access control that was fairly startling to me. The most I thought about it, though, the more I thought maybe others shared the beliefs so I’m going to respond to it here.

inode-based security has analogous problems to path-based security. Software opens paths, not inodes, so it very much matters what the permissions are for the file at /etc/shadow or /var/data/mydb, regardless of what the inode happens to be. With an inode-based system, security may go out the window when programs replace or manipulate inodes, as many of them do.

Software opens paths because paths are the exposed abstraction for userspace applications. Sure it matters what permissions are on /etc/shadow, but those permissions and the access control alike is always done at the inode level, as I will demonstrate below. Applications that manipulate inodes have always needed to set security attributes on those inodes, look at passwd source code and you will see that it creates the inode with mode 400 (r——–).

Read more at Joshua Brindle blog