Date: Tue, 2 Jan 2007 11:05:53 +0000 From: Ceri Davies <ceri@submonkey.net> To: Colin Percival <cperciva@freebsd.org> Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: default value of security.bsd.hardlink_check_[ug]id Message-ID: <20070102110552.GN97921@submonkey.net> In-Reply-To: <4599E57C.5090904@freebsd.org> References: <459745DA.1010801@freebsd.org> <20061231124431.GG97921@submonkey.net> <4599E57C.5090904@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--B92bTrfKjyax39gr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Jan 01, 2007 at 08:54:20PM -0800, Colin Percival wrote:
> Ceri Davies wrote:
> > On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote:
> >> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, star=
ting
> >> with FreeBSD 7.x. This would make it impossible for a user to create =
a hard
> >> link to a file which he does not own.
> >=20
> > a) you have provided no rationale;
>=20
> Allowing users to create hard links to files which they do not own creates
> problems:
> 1. If disk quotas are enabled, a user can waste another user's disk quota=
by
> making it impossible for said other user to delete files.
> 2. It becomes difficult to apply security fixes for issues involving setu=
id
> binaries, since a local attacker could create hard links to all the setuid
> binaries (or at least those on filesystems where he can write somewhere) =
and
> wait for a security issue to be found.
>=20
> I honestly can't see why it was ever possible for users to create hard li=
nks
> to files which they don't own; hopefully someone can provide the historic=
al
> background and tell me if the original reasons (whatever they were) still
> apply.
Notwithstanding the lack of documentation of the sysctls, I'm happy;
thanks for the follow up.
I've changed my Solaris 10 "crash" box to remove this ability from the
basic set [1]; I'll report if anything seems to go awry with it.
Ceri
[1] If anyone else would like to play along, edit
/etc/security/policy.conf to set PRIV_DEFAULT to basic,!file_link_any
and reboot.
--=20
That must be wonderful! I don't understand it at all.
-- Moliere
--B92bTrfKjyax39gr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFFmjyQocfcwTS3JF8RAhsNAJ9bhjsLri5u7Qun1oQ0mbLWggHJKQCdFtG6
HWhhIgX/ahFSAZxZycuyYsQ=
=QFrj
-----END PGP SIGNATURE-----
--B92bTrfKjyax39gr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070102110552.GN97921>