Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Jan 2007 11:05:53 +0000
From:      Ceri Davies <ceri@submonkey.net>
To:        Colin Percival <cperciva@freebsd.org>
Cc:        "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>
Subject:   Re: default value of security.bsd.hardlink_check_[ug]id
Message-ID:  <20070102110552.GN97921@submonkey.net>
In-Reply-To: <4599E57C.5090904@freebsd.org>
References:  <459745DA.1010801@freebsd.org> <20061231124431.GG97921@submonkey.net> <4599E57C.5090904@freebsd.org>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Mon, Jan 01, 2007 at 08:54:20PM -0800, Colin Percival wrote:
> Ceri Davies wrote:
> > On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote:
> >> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting
> >> with FreeBSD 7.x.  This would make it impossible for a user to create a hard
> >> link to a file which he does not own.
> > 
> >  a) you have provided no rationale;
> 
> Allowing users to create hard links to files which they do not own creates
> problems:
> 1. If disk quotas are enabled, a user can waste another user's disk quota by
> making it impossible for said other user to delete files.
> 2. It becomes difficult to apply security fixes for issues involving setuid
> binaries, since a local attacker could create hard links to all the setuid
> binaries (or at least those on filesystems where he can write somewhere) and
> wait for a security issue to be found.
> 
> I honestly can't see why it was ever possible for users to create hard links
> to files which they don't own; hopefully someone can provide the historical
> background and tell me if the original reasons (whatever they were) still
> apply.

Notwithstanding the lack of documentation of the sysctls, I'm happy;
thanks for the follow up.

I've changed my Solaris 10 "crash" box to remove this ability from the
basic set [1]; I'll report if anything seems to go awry with it.

Ceri

[1] If anyone else would like to play along, edit
/etc/security/policy.conf to set PRIV_DEFAULT to basic,!file_link_any
and reboot.
-- 
That must be wonderful!  I don't understand it at all.
                                                  -- Moliere

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFFmjyQocfcwTS3JF8RAhsNAJ9bhjsLri5u7Qun1oQ0mbLWggHJKQCdFtG6
HWhhIgX/ahFSAZxZycuyYsQ=
=QFrj
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070102110552.GN97921>