default value of security.bsd.hardlink_check_[ug]id
Ceri Davies
ceri at submonkey.net
Tue Jan 2 03:05:54 PST 2007
On Mon, Jan 01, 2007 at 08:54:20PM -0800, Colin Percival wrote:
> Ceri Davies wrote:
> > On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote:
> >> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting
> >> with FreeBSD 7.x. This would make it impossible for a user to create a hard
> >> link to a file which he does not own.
> >
> > a) you have provided no rationale;
>
> Allowing users to create hard links to files which they do not own creates
> problems:
> 1. If disk quotas are enabled, a user can waste another user's disk quota by
> making it impossible for said other user to delete files.
> 2. It becomes difficult to apply security fixes for issues involving setuid
> binaries, since a local attacker could create hard links to all the setuid
> binaries (or at least those on filesystems where he can write somewhere) and
> wait for a security issue to be found.
>
> I honestly can't see why it was ever possible for users to create hard links
> to files which they don't own; hopefully someone can provide the historical
> background and tell me if the original reasons (whatever they were) still
> apply.
Notwithstanding the lack of documentation of the sysctls, I'm happy;
thanks for the follow up.
I've changed my Solaris 10 "crash" box to remove this ability from the
basic set [1]; I'll report if anything seems to go awry with it.
Ceri
[1] If anyone else would like to play along, edit
/etc/security/policy.conf to set PRIV_DEFAULT to basic,!file_link_any
and reboot.
--
That must be wonderful! I don't understand it at all.
-- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20070102/e3a86f39/attachment.pgp
More information about the freebsd-arch
mailing list