Date: Mon, 27 Oct 1997 17:26:08 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: guido@gvr.org (Guido van Rooij) Cc: roberto@keltia.freenix.fr, freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks Message-ID: <199710271726.KAA13912@usr01.primenet.com> In-Reply-To: <199710270752.IAA17352@gvr.gvr.org> from "Guido van Rooij" at Oct 27, 97 08:52:41 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > The nosymlink flag do not allow the creation of a symlink > > > on the mounted file system. > > > > Could you please modify your patch not to _follow_ symlinks in order to > > disallow all symlinks in a given FS ? > > > > I think that mounting "nosymlinks" should mean "no symlinks whatsoever". > > In fact, perhaps this is more what you want then to disallow creation. > That would also be more in lie with nosuid. Creation of these files is okay, > but the s{u,g}id bits are not honoured. I disagree. If you disallow creation of links, then the only way links could exist is if they were put there before the mount option was specified -- ie: by the system administrator. In fact, I would prefer he modify the patch to still allow root to create symlinks. The danger you are escaping is symlinks created by your users. Personally, I'd prefer that the security holes be closed instead of worked around in this manner anyway, but if you are adding an option as administrative fiat, then it ought to respect the administrator. As far as "nosuid" goes, I will note that if root runs a program on a nosuid mounted volume, the program runs as root. And root can also "suid" to any user id, and run the program, simulating an "suid" event. So if the intent is to make it act like "nosuid", then it should only affect creation, and being root should override the option (ie: root can still create symlinks). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710271726.KAA13912>