From owner-freebsd-security@FreeBSD.ORG Mon Mar 8 02:25:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77ACD16A4CE; Mon, 8 Mar 2004 02:25:15 -0800 (PST) Received: from smtp02.syd.iprimus.net.au (smtp02.syd.iprimus.net.au [210.50.76.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id B400743D1F; Mon, 8 Mar 2004 02:25:14 -0800 (PST) (envelope-from tim@robbins.dropbear.id.au) Received: from robbins.dropbear.id.au (210.50.204.155) by smtp02.syd.iprimus.net.au (7.0.024) id 402CF87000709B02; Mon, 8 Mar 2004 21:25:13 +1100 Received: by robbins.dropbear.id.au (Postfix, from userid 1000) id BD98C4161; Mon, 8 Mar 2004 21:25:55 +1100 (EST) Date: Mon, 8 Mar 2004 21:25:55 +1100 From: Tim Robbins To: Pawel Jakub Dawidek Message-ID: <20040308102555.GA85110@cat.robbins.dropbear.id.au> References: <20040308093642.GI10864@darkness.comp.waw.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040308093642.GI10864@darkness.comp.waw.pl> User-Agent: Mutt/1.4.1i X-Mailman-Approved-At: Tue, 09 Mar 2004 02:23:24 -0800 cc: freebsd-security@freebsd.org Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 10:25:15 -0000 On Mon, Mar 08, 2004 at 10:36:42AM +0100, Pawel Jakub Dawidek wrote: > Hi. > > I've no response from so@ in this topic, probably because leak of time, > so I'll try here. > > Here is a patch that I'm planing to commit: > > http://people.freebsd.org/~pjd/patches/restricted_hardlinks.patch > > It adds two new sysctls: > > security.bsd.hardlink_check_uid > security.bsd.hardlink_check_gid > > If sysctl security.bsd.hardlink_check_uid is set to 1, unprivileged users > are not permitted to create hard links to files not owned by them. > If sysctl security.bsd.hardlink_check_gid is set to 1, unprivileged users > are not permitted to create hard links to files if they are not member > of file's group. > > For now user is able to create hardlinks to any files. It might be more consistent with other UNIX access checks (e.g. vaccess()) if having the same uid as the file was sufficient to link to it, without having to be a group member. I can't convince myself either way on this, but it's worth thinking about. Also be aware that as a side effect of this patch, old applications that use the unlink()/link()/unlink() sequence instead of the rename() system call may not be able to rename files they don't own. Tim