Date: Fri, 17 Jul 2009 12:34:38 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: freebsd-current@freebsd.org Subject: hard links to symlinks Message-ID: <20090717103438.GB48647@stack.nl>
next in thread | raw e-mail | index | archive | help
In compliance with POSIX.1-2008, linkat() allows creating hard links to symlinks. This means that it is a much worse idea to trust a symlink just because it is owned by a trusted user (if it is in a directory writable by other users). Security issues like http://archives.neohapsis.com/archives/postfix/2008-08/0391.html now affect FreeBSD 8 local filesystems as well. Given that Linux and Solaris have allowed this for a long time, I think this functionality should remain, but it should probably be mentioned in the release notes. The security.bsd.hardlink_check_uid sysctl can be used to avoid vulnerabilities. By the way, the man page erroneously says the AT_SYMLINK_NOFOLLOW flag should be set to have linkat() follow symlinks. The standard and the implementation are correct, AT_SYMLINK_FOLLOW; the AT_SYMLINK_NOFOLLOW flag is not valid for this function. Note that the link command and the link() function always follow symlinks (this is POSIX.1-2001 and POSIX.1-2008 compliant), and the ln command will not create hard links to symlinks either. Hence, people may think it is not possible (the check in the Postfix advisory will not detect FreeBSD 8's capability). I have a patch to add the POSIX.1-2008 -L and -P options to ln, making it possible to choose the desired behaviour (follow/don't follow symlinks). I think this is too late for 8.0, however. -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090717103438.GB48647>