default value of security.bsd.hardlink_check_[ug]id
Jon Passki
cykyc at yahoo.com
Sat Jan 6 08:45:08 PST 2007
--- Robert Watson <rwatson at FreeBSD.org> wrote:
>
> On Mon, 1 Jan 2007, Colin Percival wrote:
>
> > Ceri Davies wrote:
> >> On Sat, Dec 30, 2006 at 09:08:42PM -0800, Colin Percival wrote:
> >>> I'd like to make security.bsd.hardlink_check_[ug]id default to 1,
> starting
> >>> with FreeBSD 7.x. This would make it impossible for a user to
> create a hard
> >>> link to a file which he does not own.
> >>
> >> a) you have provided no rationale;
> >
> > Allowing users to create hard links to files which they do not own
> creates
> > problems:
> > 1. If disk quotas are enabled, a user can waste another user's disk
> quota by
> > making it impossible for said other user to delete files.
> > 2. It becomes difficult to apply security fixes for issues
> involving setuid
> > binaries, since a local attacker could create hard links to all the
> setuid
> > binaries (or at least those on filesystems where he can write
> somewhere) and
> > wait for a security issue to be found.
>
> I find the second argument here most compelling, and use it as an
> example
> frequently when complaining about hard links. Hard links also one of
> the
> elements that makes it difficult to usefully generate names for file
> system
> objects, due to their introducing ambiguity.
Or this goofy one:
http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/89589
Btw, OpenBSD does not allow this behavior but NetBSD does. At a
minimum, if the user cannot even copy a file, he or she ought not to
hard link the file. This behaviour, though, was permitted the last
time I checked.
Cheers,
Jon
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the freebsd-arch
mailing list