From owner-freebsd-arch@FreeBSD.ORG Sun Dec 31 15:56:40 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9AE0B16A403; Sun, 31 Dec 2006 15:56:40 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by mx1.freebsd.org (Postfix) with ESMTP id E52B213C45B; Sun, 31 Dec 2006 15:56:39 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.64 (FreeBSD)) (envelope-from ) id 1H1338-0007lF-UE; Sun, 31 Dec 2006 15:56:38 +0000 Date: Sun, 31 Dec 2006 15:56:38 +0000 From: Ceri Davies To: Robert Watson Message-ID: <20061231155638.GH97921@submonkey.net> Mail-Followup-To: Ceri Davies , Robert Watson , Colin Percival , "freebsd-arch@freebsd.org" References: <459745DA.1010801@freebsd.org> <20061231153329.Y8131@fledge.watson.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+ts6NCQ4mrNQIV8p" Content-Disposition: inline In-Reply-To: <20061231153329.Y8131@fledge.watson.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Ceri Davies Cc: Colin Percival , "freebsd-arch@freebsd.org" Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 15:56:40 -0000 --+ts6NCQ4mrNQIV8p Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 31, 2006 at 03:36:33PM +0000, Robert Watson wrote: > On Sat, 30 Dec 2006, Colin Percival wrote: >=20 > >I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starti= ng=20 > >with FreeBSD 7.x. This would make it impossible for a user to create a= =20 > >hard link to a file which he does not own. > > > >Any objections? >=20 > I'm not opposed to this in principle (in fact, I think it's a good idea i= n=20 > principle), but I think it would make sense to evaluate what other=20 > operating systems are doing on this front. For example, I think Pawel=20 > recently mentioned that Sun has already made this change (or the equivile= nt=20 > in Solaris), but we should confirm that, and google to see if there have= =20 > been many problems for Solaris users. Solaris 10 definitely hasn't done this. The ability to create hard links to file that you do not own is controlled by the file_link_any privilege which is in the basic set, the basic set being defined as "what unprivileged processes could do before we introduced privileges(5)". Of course, you can configure Solaris such that unprivileged processes get a subset of the basic set by default (via policy.conf), but that isn't how it comes out of the box. The current OpenSolaris code base hasn't changed this either; see src/uts/common/os/priv_defs. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --+ts6NCQ4mrNQIV8p Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFl922ocfcwTS3JF8RAlReAKC+bVD58dKIy0PqEMClLQ4vPiothQCcDIaU aW33CQE+zYyVzWznhujEta8= =wp0O -----END PGP SIGNATURE----- --+ts6NCQ4mrNQIV8p--