| |||||||||||||
log why the permission is deniedlog why the permission is deniedPosted Jan 20, 2013 21:52 UTC (Sun) by dlang (✭ supporter ✭, #313)In reply to: log why the permission is denied by epa Parent article: Making EPERM friendlier
getting permission denied info in log files is useful for far more than "diagnosing cryptic one by error codes"
it lets the admin of the box see all the access that was denied. This can frequently identify 'bad actors' (unless they know the system intimately, they will have to poke around a bit before they find the hole they can get through)
And if you have a lot of permission denied errors, you would want to fix the software that's generating them to do something different.
all of this without any need to tie it in to a specific return code.
It happens to also give you a way to get more detail on the specific error (when you can tie the error to a specific time), and it nicely addresses the fact that you may not want to user to know all the details of why the permission was denied, but you do want to let the admin know.
(Log in to post comments)
log why the permission is denied Posted Jan 21, 2013 5:53 UTC (Mon) by epa (subscriber, #39769) [Link]
It's not about 'the admin of the box' - that is no longer even a concept that makes sense in many use cases such as phones, or even a corporate environment where the IT department might have better things to do than investigate every 'permission denied' error returned to every user. It is about giving the application the details it needs to report a clear error messaage to the user. Otherwise why have error returns at all? Every syscall could just return 0 or 1, and if you want more info the administrator can easily grep the log files....
Returning meaningful error indicators to userspace does not preclude writing to a log file as well. In some cases, yes, security requires giving a terse 'permission denied' error with no further details. That situation is not the norm.
|
|||||||||||||