Date: Mon, 1 Jan 2007 21:06:15 +1100 (EST) From: Bruce Evans <bde@zeta.org.au> To: Robert Watson <rwatson@FreeBSD.org> Cc: Colin Percival <cperciva@FreeBSD.org>, "freebsd-arch@freebsd.org" <freebsd-arch@FreeBSD.org> Subject: Re: default value of security.bsd.hardlink_check_[ug]id Message-ID: <20070101205016.U3544@epsplex.bde.org> In-Reply-To: <20061231153329.Y8131@fledge.watson.org> References: <459745DA.1010801@freebsd.org> <20061231153329.Y8131@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 31 Dec 2006, Robert Watson wrote: > I'm not entirely happy with the current implementation, FWIW. I'd like > can_hardlink to be implemented in the per file system code, possibly by > invoking a common routine of this sort, avoiding the extra call to > VOP_GETATTR(), and allowing file systems not implementing ownership in > traditional ways (msdosfs, etc) to do whatever makes sense in their context. > On the whole, these sorts of decisions are made in each file system, often > using common code (perhaps centralized), and not at the VFS layer. I think it also has wrong semantics. It denies privilege based on non-ownership, while everything that uses vaccess() grants privilege based on ownership. This gives the surprising behaviour that if hardlink_check_gid = 1, the owner of a file can do anything to the file except link to it in cases where the group of the file isn't in the caller's group list (and no immutable but is set). Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070101205016.U3544>