Date: Mon, 01 Jan 2007 20:54:20 -0800 From: Colin Percival <cperciva@freebsd.org> To: Ceri Davies <ceri@submonkey.net>, Colin Percival <cperciva@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: default value of security.bsd.hardlink_check_[ug]id Message-ID: <4599E57C.5090904@freebsd.org> In-Reply-To: <20061231124431.GG97921@submonkey.net> References: <459745DA.1010801@freebsd.org> <20061231124431.GG97921@submonkey.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ceri Davies wrote: > On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote: >> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting >> with FreeBSD 7.x. This would make it impossible for a user to create a hard >> link to a file which he does not own. > > a) you have provided no rationale; Allowing users to create hard links to files which they do not own creates problems: 1. If disk quotas are enabled, a user can waste another user's disk quota by making it impossible for said other user to delete files. 2. It becomes difficult to apply security fixes for issues involving setuid binaries, since a local attacker could create hard links to all the setuid binaries (or at least those on filesystems where he can write somewhere) and wait for a security issue to be found. I honestly can't see why it was ever possible for users to create hard links to files which they don't own; hopefully someone can provide the historical background and tell me if the original reasons (whatever they were) still apply. If it isn't possible to outlaw such hard linking entirely, I'd like to make it impossible by default for (a) a user to create a hard link to a setuid file which they do not own, and (b) a user to create a hard link to a setgid file if they are not in the right group, since these are the important cases for security. Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4599E57C.5090904>