From owner-freebsd-arch@FreeBSD.ORG Tue Jan 2 04:54:28 2007 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A079116A407 for ; Tue, 2 Jan 2007 04:54:28 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id 75DD713C448 for ; Tue, 2 Jan 2007 04:54:28 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mr1so.prod.shaw.ca (pd5mr1so-qfe3.prod.shaw.ca [10.0.141.232]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JB800M5A5MRIJ40@l-daemon> for freebsd-arch@freebsd.org; Mon, 01 Jan 2007 21:54:27 -0700 (MST) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd5mr1so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JB800CRM5MRHL51@pd5mr1so.prod.shaw.ca> for freebsd-arch@freebsd.org; Mon, 01 Jan 2007 21:54:27 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JB8009VH5MPHEA0@l-daemon> for freebsd-arch@freebsd.org; Mon, 01 Jan 2007 21:54:26 -0700 (MST) Received: (qmail 49244 invoked from network); Tue, 02 Jan 2007 04:54:20 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Tue, 02 Jan 2007 04:54:20 +0000 Date: Mon, 01 Jan 2007 20:54:20 -0800 From: Colin Percival In-reply-to: <20061231124431.GG97921@submonkey.net> To: Ceri Davies , Colin Percival , "freebsd-arch@freebsd.org" Message-id: <4599E57C.5090904@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <459745DA.1010801@freebsd.org> <20061231124431.GG97921@submonkey.net> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2007 04:54:28 -0000 Ceri Davies wrote: > On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote: >> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting >> with FreeBSD 7.x. This would make it impossible for a user to create a hard >> link to a file which he does not own. > > a) you have provided no rationale; Allowing users to create hard links to files which they do not own creates problems: 1. If disk quotas are enabled, a user can waste another user's disk quota by making it impossible for said other user to delete files. 2. It becomes difficult to apply security fixes for issues involving setuid binaries, since a local attacker could create hard links to all the setuid binaries (or at least those on filesystems where he can write somewhere) and wait for a security issue to be found. I honestly can't see why it was ever possible for users to create hard links to files which they don't own; hopefully someone can provide the historical background and tell me if the original reasons (whatever they were) still apply. If it isn't possible to outlaw such hard linking entirely, I'd like to make it impossible by default for (a) a user to create a hard link to a setuid file which they do not own, and (b) a user to create a hard link to a setgid file if they are not in the right group, since these are the important cases for security. Colin Percival