I have to concur with anonymonk, what could the bad guys do by passing module X a particular open filehandle, that they couldn't do themselves?

Format the contents nicely perhaps.

It would be better (IMHO) to accept a file name (in taint mode) and sanitize it within your module.

The intent was to reinforce that incoming information (in this case a file handle with no other attached information) should be sanitized within your module.
While the source could well be benign, it is not that hard to use secure practices from the start.
Given that my background is information and systems security, I tend to preach security best practices (in conjunction with PBP ;-), of course).

The intent was to reinforce that incoming information (in this case a file handle with no other attached information) should be sanitized within your module.

While the source could well be benign, it is not that hard to use secure practices from the start.

Given that my background is information and systems security, I tend to preach security best practices (in conjunction with PBP ;-), of course).

Sorry, but that is total bulls...! You're not preaching security, you're preaching pointless paranoia. And quoting "PBP" does not change that.

There is nothing you can do within a third-party module to validate a filename given to you by the caller, that the caller cannot do for himself. What are you going to do, take a look at the filename a reject it because you don't like the way it spelt? Or reject it because it's all uppercase? Say "No, I'm not going to allow you to open that file"?

There is no way a module can hope to internally perform the correct checks for every possible caller, so the only sensible option is to leave the caller to perform all the checks they require, and do none inside the module, because they would either be wrong, or redundant.

The only thing a module should do with a filename is try and open it, and report an error if the attempt fails. And once you realise that, then having the module accept a filehandle rather than a filename is just common sense.

---

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

RIP an inspiration; A true Folk's Guy

What unknown source? Filehandles are special in-memory data structures. For one to exist, a program has to be running already. If a program is already running on your machine, its already running, the game is over, it doesn't need your module to do anything, its already running.

That allows the caller of the module to open a file, and actually drop privileges before calling the module. For instance, a daemon could start as a root user, open the necessary files, drop privileges to a normal user, and then call a third party module, passing it file handles (which where opened as the root user). Said module can no longer open files that require root privileges. Your suggestion however, requires the code in the module to run using root privileges.

Picture this: A program manages to escalate it's privileges, then opens a system file for write access. It then passes your module the file handle.

If you (instead) receive the file name, you have a better chance of making sure that any action your module takes is benign.