default value of security.bsd.hardlink_check_[ug]id

Robert Watson rwatson at FreeBSD.org
Sun Dec 31 07:39:07 PST 2006


On Sun, 31 Dec 2006, Ceri Davies wrote:

> On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote:
>> FreeBSD Architects,
>>
>> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting 
>> with FreeBSD 7.x.  This would make it impossible for a user to create a 
>> hard link to a file which he does not own.
>>
>> Any objections?
>
> One here, on the grounds that:
>
> a) you have provided no rationale;
> b) that sysctl does not currently seem to be documented anywhere, so
>     changing its default value would violate POLA.
>
> There is a longer answer in which I pine after Solaris' privileges(5) again, 
> or wonder if this can be implemented for "system" processes only using the 
> new priv(9) API instead.

Priv(9) provides a useful foundation for doing something like this, and is a 
necessary first step to do it.  However, to date I've been pretty careful to 
avoid changing the actual privilege model, just the expression of privilege 
checking.  It should be possibly to implement a more selective privilege model 
using a MAC Framework policy module today.  In the past, the TrustedBSD 
Project has fully implemented POSIX.1e privileges on FreeBSD, and having 
looked at the implementation, decided it was very high risk, and likely to 
lead to more vulnerabilities than it addressed.  I think we should think very 
carefully before changing the OS privilege model, and make sure we're going 
about it in a robust and low-risk way.

Robert N M Watson
Computer Laboratory
University of Cambridge


More information about the freebsd-arch mailing list