default value of security.bsd.hardlink_check_[ug]id
rwatson at FreeBSD.org
Sun Dec 31 07:36:34 PST 2006
On Sat, 30 Dec 2006, Colin Percival wrote:
> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting
> with FreeBSD 7.x. This would make it impossible for a user to create a hard
> link to a file which he does not own.
> Any objections?
I'm not opposed to this in principle (in fact, I think it's a good idea in
principle), but I think it would make sense to evaluate what other operating
systems are doing on this front. For example, I think Pawel recently
mentioned that Sun has already made this change (or the equivilent in
Solaris), but we should confirm that, and google to see if there have been
many problems for Solaris users. Likewise, have similar changes been made in
Linux or the hardened Linux distributions, and what sorts of problems have
been reported? If it's widespread then it's likely most major applications
won't have a problem with it, but if not, we should be prepared to work
through tracking them down.
I'm not entirely happy with the current implementation, FWIW. I'd like
can_hardlink to be implemented in the per file system code, possibly by
invoking a common routine of this sort, avoiding the extra call to
VOP_GETATTR(), and allowing file systems not implementing ownership in
traditional ways (msdosfs, etc) to do whatever makes sense in their context.
On the whole, these sorts of decisions are made in each file system, often
using common code (perhaps centralized), and not at the VFS layer.
Robert N M Watson
University of Cambridge
More information about the freebsd-arch