From owner-freebsd-security@FreeBSD.ORG Tue Mar 9 16:34:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A6E16A4CF; Tue, 9 Mar 2004 16:34:51 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7139543D2D; Tue, 9 Mar 2004 16:34:51 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i2A0XMxC056386; Tue, 9 Mar 2004 19:33:22 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i2A0XGIV056383; Tue, 9 Mar 2004 19:33:21 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 9 Mar 2004 19:33:16 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Georg-W. Koltermann" In-Reply-To: <1078780238.1937.11.camel@localhost.muc.eu.mscsoftware.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@FreeBSD.org cc: Pawel Jakub Dawidek Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 00:34:52 -0000 On Mon, 8 Mar 2004, Georg-W. Koltermann wrote: > When you restrict links, do you want to restrict copying as well? > > Seems somewhat paranoid to me. You already need write permission on the > directory where you create the link, and permissions are checked against > the inode on open(2) anyway. The "classic hard link attack" is to find a writable directory in a partition containing setuid/setgid binaries, hard link them all to that directory, then wait for an exploit to be discovered in one of them. The administrator will apply the patches, rebuild, binary update, or whatever, and think they're covered, but the attacker still has a reference that can be executed later. This might be employed against /usr/{bin,sbin,local} using /usr/tmp, or {/sbin,/bin} using /tmp in default file system layouts. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research > > My $0.0002. > > -- > Regards, > Georg. > > Am Mo, den 08.03.2004 schrieb Pawel Jakub Dawidek um 10:36: > > Hi. > > > > I've no response from so@ in this topic, probably because leak of time, > > so I'll try here. > > > > Here is a patch that I'm planing to commit: > > > > http://people.freebsd.org/~pjd/patches/restricted_hardlinks.patch > > > > It adds two new sysctls: > > > > security.bsd.hardlink_check_uid > > security.bsd.hardlink_check_gid > > > > If sysctl security.bsd.hardlink_check_uid is set to 1, unprivileged users > > are not permitted to create hard links to files not owned by them. > > If sysctl security.bsd.hardlink_check_gid is set to 1, unprivileged users > > are not permitted to create hard links to files if they are not member > > of file's group. > > > > For now user is able to create hardlinks to any files. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >