>>> Unfortunately, this requires giving user code access to raw disks, >>> which poses essentially the same set of security risks in the long >>> term. >> How exactly did you arrive at that conclusion? > If user code can overwrite your root filesystem by accessing the > wrong disk sectors [...] If "giving...access to raw disks" is an all-or-nothing proposition, that is, if you can't grant access to one disk without granting access to all, you're right. But I see no reason why granting access to (say) sd0* has to also grant access to wd* or sd1*, or why granting access to sd0e has to also grant access to sd0[^e]. Certainly using chmod today doesn't do either, and I can imagine ways (such as passing an already-open fd when the kernel invokes the handler) which have essentially no risk beyond what is truly necessary for the filesystem handler to do its job. (There's still the overlapping-partition question, but there is no way to make that one go away short of outright forbidding overlapping partitions, since a mount for write _must_ be able to write to its partition.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse%rodents-montreal.org@localhost / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B