From owner-freebsd-arch@FreeBSD.ORG Sun Dec 31 06:08:49 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 94A3D16A403 for ; Sun, 31 Dec 2006 06:08:49 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id 6C39C13C457 for ; Sun, 31 Dec 2006 06:08:49 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mr8so.prod.shaw.ca (pd2mr8so-qfe3.prod.shaw.ca [10.0.141.11]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JB400HWSGYQIU80@l-daemon> for freebsd-arch@freebsd.org; Sat, 30 Dec 2006 22:08:50 -0700 (MST) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd2mr8so.prod.shaw.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0JB400LVGGYQPUO1@pd2mr8so.prod.shaw.ca> for freebsd-arch@freebsd.org; Sat, 30 Dec 2006 22:08:50 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JB400JM4GYN7U01@l-daemon> for freebsd-arch@freebsd.org; Sat, 30 Dec 2006 22:08:48 -0700 (MST) Received: (qmail 32251 invoked from network); Sun, 31 Dec 2006 05:08:42 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Sun, 31 Dec 2006 05:08:42 +0000 Date: Sat, 30 Dec 2006 21:08:42 -0800 From: Colin Percival To: "freebsd-arch@freebsd.org" Message-id: <459745DA.1010801@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Subject: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 06:08:49 -0000 FreeBSD Architects, I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting with FreeBSD 7.x. This would make it impossible for a user to create a hard link to a file which he does not own. Any objections? Colin Percival From owner-freebsd-arch@FreeBSD.ORG Sun Dec 31 13:11:05 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5C58216A403 for ; Sun, 31 Dec 2006 13:11:05 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by mx1.freebsd.org (Postfix) with ESMTP id 1305313C45B for ; Sun, 31 Dec 2006 13:11:04 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.64 (FreeBSD)) (envelope-from ) id 1H103D-000Myw-It; Sun, 31 Dec 2006 12:44:31 +0000 Date: Sun, 31 Dec 2006 12:44:31 +0000 From: Ceri Davies To: Colin Percival Message-ID: <20061231124431.GG97921@submonkey.net> Mail-Followup-To: Ceri Davies , Colin Percival , "freebsd-arch@freebsd.org" References: <459745DA.1010801@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a1QUDc0q7S3U7/Jg" Content-Disposition: inline In-Reply-To: <459745DA.1010801@freebsd.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Ceri Davies Cc: "freebsd-arch@freebsd.org" Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 13:11:05 -0000 --a1QUDc0q7S3U7/Jg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote: > FreeBSD Architects, >=20 > I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting > with FreeBSD 7.x. This would make it impossible for a user to create a h= ard > link to a file which he does not own. >=20 > Any objections? One here, on the grounds that: a) you have provided no rationale; b) that sysctl does not currently seem to be documented anywhere, so changing its default value would violate POLA. There is a longer answer in which I pine after Solaris' privileges(5) again, or wonder if this can be implemented for "system" processes only using the new priv(9) API instead. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --a1QUDc0q7S3U7/Jg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFl7CvocfcwTS3JF8RAq8mAJ9wV+VGMfhEsoVXR1WZ4KXYKDbFbwCfZheY vdTFelO91bGIdsAR0hZyxt8= =giBU -----END PGP SIGNATURE----- --a1QUDc0q7S3U7/Jg-- From owner-freebsd-arch@FreeBSD.ORG Sun Dec 31 15:36:34 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B92616A40F; Sun, 31 Dec 2006 15:36:34 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1E8C213C457; Sun, 31 Dec 2006 15:36:34 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 97B02487F1; Sun, 31 Dec 2006 10:36:33 -0500 (EST) Date: Sun, 31 Dec 2006 15:36:33 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Colin Percival In-Reply-To: <459745DA.1010801@freebsd.org> Message-ID: <20061231153329.Y8131@fledge.watson.org> References: <459745DA.1010801@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "freebsd-arch@freebsd.org" Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 15:36:34 -0000 On Sat, 30 Dec 2006, Colin Percival wrote: > I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting > with FreeBSD 7.x. This would make it impossible for a user to create a hard > link to a file which he does not own. > > Any objections? I'm not opposed to this in principle (in fact, I think it's a good idea in principle), but I think it would make sense to evaluate what other operating systems are doing on this front. For example, I think Pawel recently mentioned that Sun has already made this change (or the equivilent in Solaris), but we should confirm that, and google to see if there have been many problems for Solaris users. Likewise, have similar changes been made in Linux or the hardened Linux distributions, and what sorts of problems have been reported? If it's widespread then it's likely most major applications won't have a problem with it, but if not, we should be prepared to work through tracking them down. I'm not entirely happy with the current implementation, FWIW. I'd like can_hardlink to be implemented in the per file system code, possibly by invoking a common routine of this sort, avoiding the extra call to VOP_GETATTR(), and allowing file systems not implementing ownership in traditional ways (msdosfs, etc) to do whatever makes sense in their context. On the whole, these sorts of decisions are made in each file system, often using common code (perhaps centralized), and not at the VFS layer. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-arch@FreeBSD.ORG Sun Dec 31 15:39:07 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 57EC816A40F; Sun, 31 Dec 2006 15:39:07 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 23FDA13C441; Sun, 31 Dec 2006 15:39:05 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id BF84148BD9; Sun, 31 Dec 2006 10:39:04 -0500 (EST) Date: Sun, 31 Dec 2006 15:39:04 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Ceri Davies In-Reply-To: <20061231124431.GG97921@submonkey.net> Message-ID: <20061231153645.Y8131@fledge.watson.org> References: <459745DA.1010801@freebsd.org> <20061231124431.GG97921@submonkey.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Colin Percival , "freebsd-arch@freebsd.org" Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 15:39:07 -0000 On Sun, 31 Dec 2006, Ceri Davies wrote: > On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote: >> FreeBSD Architects, >> >> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting >> with FreeBSD 7.x. This would make it impossible for a user to create a >> hard link to a file which he does not own. >> >> Any objections? > > One here, on the grounds that: > > a) you have provided no rationale; > b) that sysctl does not currently seem to be documented anywhere, so > changing its default value would violate POLA. > > There is a longer answer in which I pine after Solaris' privileges(5) again, > or wonder if this can be implemented for "system" processes only using the > new priv(9) API instead. Priv(9) provides a useful foundation for doing something like this, and is a necessary first step to do it. However, to date I've been pretty careful to avoid changing the actual privilege model, just the expression of privilege checking. It should be possibly to implement a more selective privilege model using a MAC Framework policy module today. In the past, the TrustedBSD Project has fully implemented POSIX.1e privileges on FreeBSD, and having looked at the implementation, decided it was very high risk, and likely to lead to more vulnerabilities than it addressed. I think we should think very carefully before changing the OS privilege model, and make sure we're going about it in a robust and low-risk way. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-arch@FreeBSD.ORG Sun Dec 31 15:56:40 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9AE0B16A403; Sun, 31 Dec 2006 15:56:40 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by mx1.freebsd.org (Postfix) with ESMTP id E52B213C45B; Sun, 31 Dec 2006 15:56:39 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.64 (FreeBSD)) (envelope-from ) id 1H1338-0007lF-UE; Sun, 31 Dec 2006 15:56:38 +0000 Date: Sun, 31 Dec 2006 15:56:38 +0000 From: Ceri Davies To: Robert Watson Message-ID: <20061231155638.GH97921@submonkey.net> Mail-Followup-To: Ceri Davies , Robert Watson , Colin Percival , "freebsd-arch@freebsd.org" References: <459745DA.1010801@freebsd.org> <20061231153329.Y8131@fledge.watson.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+ts6NCQ4mrNQIV8p" Content-Disposition: inline In-Reply-To: <20061231153329.Y8131@fledge.watson.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Ceri Davies Cc: Colin Percival , "freebsd-arch@freebsd.org" Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 15:56:40 -0000 --+ts6NCQ4mrNQIV8p Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 31, 2006 at 03:36:33PM +0000, Robert Watson wrote: > On Sat, 30 Dec 2006, Colin Percival wrote: >=20 > >I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starti= ng=20 > >with FreeBSD 7.x. This would make it impossible for a user to create a= =20 > >hard link to a file which he does not own. > > > >Any objections? >=20 > I'm not opposed to this in principle (in fact, I think it's a good idea i= n=20 > principle), but I think it would make sense to evaluate what other=20 > operating systems are doing on this front. For example, I think Pawel=20 > recently mentioned that Sun has already made this change (or the equivile= nt=20 > in Solaris), but we should confirm that, and google to see if there have= =20 > been many problems for Solaris users. Solaris 10 definitely hasn't done this. The ability to create hard links to file that you do not own is controlled by the file_link_any privilege which is in the basic set, the basic set being defined as "what unprivileged processes could do before we introduced privileges(5)". Of course, you can configure Solaris such that unprivileged processes get a subset of the basic set by default (via policy.conf), but that isn't how it comes out of the box. The current OpenSolaris code base hasn't changed this either; see src/uts/common/os/priv_defs. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --+ts6NCQ4mrNQIV8p Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFl922ocfcwTS3JF8RAlReAKC+bVD58dKIy0PqEMClLQ4vPiothQCcDIaU aW33CQE+zYyVzWznhujEta8= =wp0O -----END PGP SIGNATURE----- --+ts6NCQ4mrNQIV8p--