Date: Mon, 1 Jan 2007 10:41:33 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Bruce Evans <bde@zeta.org.au> Cc: Colin Percival <cperciva@FreeBSD.org>, "freebsd-arch@freebsd.org" <freebsd-arch@FreeBSD.org> Subject: Re: default value of security.bsd.hardlink_check_[ug]id Message-ID: <20070101103544.T7974@fledge.watson.org> In-Reply-To: <20070101205016.U3544@epsplex.bde.org> References: <459745DA.1010801@freebsd.org> <20061231153329.Y8131@fledge.watson.org> <20070101205016.U3544@epsplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Jan 2007, Bruce Evans wrote:
> On Sun, 31 Dec 2006, Robert Watson wrote:
>
>> I'm not entirely happy with the current implementation, FWIW. I'd like
>> can_hardlink to be implemented in the per file system code, possibly by
>> invoking a common routine of this sort, avoiding the extra call to
>> VOP_GETATTR(), and allowing file systems not implementing ownership in
>> traditional ways (msdosfs, etc) to do whatever makes sense in their
>> context. On the whole, these sorts of decisions are made in each file
>> system, often using common code (perhaps centralized), and not at the VFS
>> layer.
>
> I think it also has wrong semantics. It denies privilege based on
> non-ownership, while everything that uses vaccess() grants privilege based
> on ownership. This gives the surprising behaviour that if
> hardlink_check_gid = 1, the owner of a file can do anything to the file
> except link to it in cases where the group of the file isn't in the caller's
> group list (and no immutable but is set).
Yes, I think you're right. Per our earlier thread on the structure of
privilege checks on arch@, security checks generally shold look something like
this:
error = dac_check(cred, object);
if (error) {
error = priv_check(cred, privilege);
if (error)
return (error);
}
The requirement for ownership or privilege for linking is part of the DAC
check in this structure. Operations seem to fall down into three categories:
- Operations always requiring privilege.
- Operations requiring ownership or privilege.
- Operations requiring rights be granted via the ACL or privilege.
There may be a few edge cases requiring ownership, ACL, or privilege, but
these may also be bugs. I think we should always allow linking rights for the
owner and for privilege, and optionally also for the group or everyone. So
perhaps we want a linking mib entry that selects one of the following "levels"
for hard linking:
- Privilege required.
- Ownership or privilege required.
- Matching group or ownership or privilege required.
- Allowed for everyone.
Robert N M Watson
Computer Laboratory
University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070101103544.T7974>