From owner-freebsd-arch@FreeBSD.ORG Tue Jan 2 11:05:54 2007 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E41416A412; Tue, 2 Jan 2007 11:05:54 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by mx1.freebsd.org (Postfix) with ESMTP id 2C59A13C4AC; Tue, 2 Jan 2007 11:05:54 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.64 (FreeBSD)) (envelope-from ) id 1H1hSr-000138-5y; Tue, 02 Jan 2007 11:05:53 +0000 Date: Tue, 2 Jan 2007 11:05:53 +0000 From: Ceri Davies To: Colin Percival Message-ID: <20070102110552.GN97921@submonkey.net> Mail-Followup-To: Ceri Davies , Colin Percival , "freebsd-arch@freebsd.org" References: <459745DA.1010801@freebsd.org> <20061231124431.GG97921@submonkey.net> <4599E57C.5090904@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="B92bTrfKjyax39gr" Content-Disposition: inline In-Reply-To: <4599E57C.5090904@freebsd.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Ceri Davies Cc: "freebsd-arch@freebsd.org" Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2007 11:05:54 -0000 --B92bTrfKjyax39gr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 01, 2007 at 08:54:20PM -0800, Colin Percival wrote: > Ceri Davies wrote: > > On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote: > >> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, star= ting > >> with FreeBSD 7.x. This would make it impossible for a user to create = a hard > >> link to a file which he does not own. > >=20 > > a) you have provided no rationale; >=20 > Allowing users to create hard links to files which they do not own creates > problems: > 1. If disk quotas are enabled, a user can waste another user's disk quota= by > making it impossible for said other user to delete files. > 2. It becomes difficult to apply security fixes for issues involving setu= id > binaries, since a local attacker could create hard links to all the setuid > binaries (or at least those on filesystems where he can write somewhere) = and > wait for a security issue to be found. >=20 > I honestly can't see why it was ever possible for users to create hard li= nks > to files which they don't own; hopefully someone can provide the historic= al > background and tell me if the original reasons (whatever they were) still > apply. Notwithstanding the lack of documentation of the sysctls, I'm happy; thanks for the follow up. I've changed my Solaris 10 "crash" box to remove this ability from the basic set [1]; I'll report if anything seems to go awry with it. Ceri [1] If anyone else would like to play along, edit /etc/security/policy.conf to set PRIV_DEFAULT to basic,!file_link_any and reboot. --=20 That must be wonderful! I don't understand it at all. -- Moliere --B92bTrfKjyax39gr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFmjyQocfcwTS3JF8RAhsNAJ9bhjsLri5u7Qun1oQ0mbLWggHJKQCdFtG6 HWhhIgX/ahFSAZxZycuyYsQ= =QFrj -----END PGP SIGNATURE----- --B92bTrfKjyax39gr--