default value of security.bsd.hardlink_check_[ug]id
Colin Percival
cperciva at freebsd.org
Mon Jan 1 20:54:28 PST 2007
Ceri Davies wrote:
> On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote:
>> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting
>> with FreeBSD 7.x. This would make it impossible for a user to create a hard
>> link to a file which he does not own.
>
> a) you have provided no rationale;
Allowing users to create hard links to files which they do not own creates
problems:
1. If disk quotas are enabled, a user can waste another user's disk quota by
making it impossible for said other user to delete files.
2. It becomes difficult to apply security fixes for issues involving setuid
binaries, since a local attacker could create hard links to all the setuid
binaries (or at least those on filesystems where he can write somewhere) and
wait for a security issue to be found.
I honestly can't see why it was ever possible for users to create hard links
to files which they don't own; hopefully someone can provide the historical
background and tell me if the original reasons (whatever they were) still
apply.
If it isn't possible to outlaw such hard linking entirely, I'd like to make
it impossible by default for
(a) a user to create a hard link to a setuid file which they do not own, and
(b) a user to create a hard link to a setgid file if they are not in the right
group,
since these are the important cases for security.
Colin Percival
More information about the freebsd-arch
mailing list