From owner-freebsd-fs@FreeBSD.ORG Tue Sep 17 18:08:54 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 99CF92F5 for ; Tue, 17 Sep 2013 18:08:54 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 61C4727B2 for ; Tue, 17 Sep 2013 18:08:53 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 4ADDB57C; Tue, 17 Sep 2013 20:03:10 +0200 (CEST) Date: Tue, 17 Sep 2013 20:09:04 +0200 From: Pawel Jakub Dawidek To: Oleg Ginzburg Subject: Re: linkat(2) Operation not permitted Message-ID: <20130917180904.GA1406@garage.freebsd.pl> References: <2628598.ea1ZiWMKQv@home.my.domain> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: <2628598.ea1ZiWMKQv@home.my.domain> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-fs@freebsd.org X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Sep 2013 18:08:54 -0000 --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 15, 2013 at 04:21:04PM -0700, Oleg Ginzburg wrote: > Hi >=20 > For some reason, creating hardlink within one UFS is failed for /usr/bin/= chfn=20 > with "operation not permitted" messages (other file is ok) This is because this file has 'schg' flag set. See: # ls -lo /usr/bin/chfn So this is difference in handling the 'schg' flag by UFS and ZFS. I think I like UFS behaviour better. If regular user has write access to some directory, which is part of the same file system as the set-uid binary, then he can create hardlink to set-uid file and wait for a security to be found in this set-uid file. For example if /tmp/ and /usr/bin/ is on a single file system, I could create hardlink to chfn and other set-uid-root binaries and once security hole is found and even if system is updated, I still has access to the old set-uid-root binary to exploit. My suggestion would be to change ZFS behaviour to not allow hardlinks if the 'schg' flag is set. Something like this (not even compile-tested): http://people.freebsd.org/~pjd/patches/zfs_vnops.c.8.patch --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlI4msAACgkQForvXbEpPzTJCACg0Zdh3xLJKurYIbEg/X/fpmjD aCMAn0TG0dez6QSQQ2I9lif/4vy5J7Pz =Kwfr -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT--