default value of security.bsd.hardlink_check_[ug]id
Bruce Evans
bde at zeta.org.au
Mon Jan 1 02:06:24 PST 2007
On Sun, 31 Dec 2006, Robert Watson wrote:
> I'm not entirely happy with the current implementation, FWIW. I'd like
> can_hardlink to be implemented in the per file system code, possibly by
> invoking a common routine of this sort, avoiding the extra call to
> VOP_GETATTR(), and allowing file systems not implementing ownership in
> traditional ways (msdosfs, etc) to do whatever makes sense in their context.
> On the whole, these sorts of decisions are made in each file system, often
> using common code (perhaps centralized), and not at the VFS layer.
I think it also has wrong semantics. It denies privilege based on
non-ownership, while everything that uses vaccess() grants privilege
based on ownership. This gives the surprising behaviour that if
hardlink_check_gid = 1, the owner of a file can do anything to the
file except link to it in cases where the group of the file isn't in
the caller's group list (and no immutable but is set).
Bruce
More information about the freebsd-arch
mailing list