From owner-freebsd-arch@FreeBSD.ORG  Mon Jan  1 10:06:24 2007
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
X-Original-To: freebsd-arch@FreeBSD.org
Delivered-To: freebsd-arch@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0662016A403;
	Mon,  1 Jan 2007 10:06:24 +0000 (UTC) (envelope-from bde@zeta.org.au)
Received: from mailout1.pacific.net.au (mailout1-3.pacific.net.au [61.8.2.210])
	by mx1.freebsd.org (Postfix) with ESMTP id C01C313C441;
	Mon,  1 Jan 2007 10:06:23 +0000 (UTC) (envelope-from bde@zeta.org.au)
Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au
	[61.8.2.162])
	by mailout1.pacific.net.au (Postfix) with ESMTP id 837E45A1DDB;
	Mon,  1 Jan 2007 21:06:17 +1100 (EST)
Received: from epsplex.bde.org (katana.zip.com.au [61.8.7.246])
	by mailproxy1.pacific.net.au (Postfix) with ESMTP id 85ED58C02;
	Mon,  1 Jan 2007 21:06:16 +1100 (EST)
Date: Mon, 1 Jan 2007 21:06:15 +1100 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-X-Sender: bde@epsplex.bde.org
To: Robert Watson <rwatson@FreeBSD.org>
In-Reply-To: <20061231153329.Y8131@fledge.watson.org>
Message-ID: <20070101205016.U3544@epsplex.bde.org>
References: <459745DA.1010801@freebsd.org>
	<20061231153329.Y8131@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Colin Percival <cperciva@FreeBSD.org>,
	"freebsd-arch@freebsd.org" <freebsd-arch@FreeBSD.org>
Subject: Re: default value of security.bsd.hardlink_check_[ug]id
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jan 2007 10:06:24 -0000

On Sun, 31 Dec 2006, Robert Watson wrote:

> I'm not entirely happy with the current implementation, FWIW.  I'd like 
> can_hardlink to be implemented in the per file system code, possibly by 
> invoking a common routine of this sort, avoiding the extra call to 
> VOP_GETATTR(), and allowing file systems not implementing ownership in 
> traditional ways (msdosfs, etc) to do whatever makes sense in their context. 
> On the whole, these sorts of decisions are made in each file system, often 
> using common code (perhaps centralized), and not at the VFS layer.

I think it also has wrong semantics.  It denies privilege based on
non-ownership, while everything that uses vaccess() grants privilege
based on ownership.  This gives the surprising behaviour that if
hardlink_check_gid = 1, the owner of a file can do anything to the
file except link to it in cases where the group of the file isn't in
the caller's group list (and no immutable but is set).

Bruce