From owner-freebsd-current@FreeBSD.ORG Fri Jul 17 10:34:40 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23A8D106568C for ; Fri, 17 Jul 2009 10:34:40 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay04.stack.nl [IPv6:2001:610:1108:5010::107]) by mx1.freebsd.org (Postfix) with ESMTP id DEA918FC14 for ; Fri, 17 Jul 2009 10:34:39 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from toad.stack.nl (toad.stack.nl [IPv6:2001:610:1108:5010::135]) by mx1.stack.nl (Postfix) with ESMTP id BA0D7375831 for ; Fri, 17 Jul 2009 12:34:38 +0200 (CEST) Received: by toad.stack.nl (Postfix, from userid 1677) id ABD4573FA2; Fri, 17 Jul 2009 12:34:38 +0200 (CEST) Date: Fri, 17 Jul 2009 12:34:38 +0200 From: Jilles Tjoelker To: freebsd-current@freebsd.org Message-ID: <20090717103438.GB48647@stack.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Subject: hard links to symlinks X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 10:34:40 -0000 In compliance with POSIX.1-2008, linkat() allows creating hard links to symlinks. This means that it is a much worse idea to trust a symlink just because it is owned by a trusted user (if it is in a directory writable by other users). Security issues like http://archives.neohapsis.com/archives/postfix/2008-08/0391.html now affect FreeBSD 8 local filesystems as well. Given that Linux and Solaris have allowed this for a long time, I think this functionality should remain, but it should probably be mentioned in the release notes. The security.bsd.hardlink_check_uid sysctl can be used to avoid vulnerabilities. By the way, the man page erroneously says the AT_SYMLINK_NOFOLLOW flag should be set to have linkat() follow symlinks. The standard and the implementation are correct, AT_SYMLINK_FOLLOW; the AT_SYMLINK_NOFOLLOW flag is not valid for this function. Note that the link command and the link() function always follow symlinks (this is POSIX.1-2001 and POSIX.1-2008 compliant), and the ln command will not create hard links to symlinks either. Hence, people may think it is not possible (the check in the Postfix advisory will not detect FreeBSD 8's capability). I have a patch to add the POSIX.1-2008 -L and -P options to ln, making it possible to choose the desired behaviour (follow/don't follow symlinks). I think this is too late for 8.0, however. -- Jilles Tjoelker