default value of security.bsd.hardlink_check_[ug]id

[Robert Watson]

On Sat, 30 Dec 2006, Colin Percival wrote:

> I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting 
> with FreeBSD 7.x.  This would make it impossible for a user to create a hard 
> link to a file which he does not own.
>
> Any objections?

I'm not opposed to this in principle (in fact, I think it's a good idea in 
principle), but I think it would make sense to evaluate what other operating 
systems are doing on this front.  For example, I think Pawel recently 
mentioned that Sun has already made this change (or the equivilent in 
Solaris), but we should confirm that, and google to see if there have been 
many problems for Solaris users.  Likewise, have similar changes been made in 
Linux or the hardened Linux distributions, and what sorts of problems have 
been reported?  If it's widespread then it's likely most major applications 
won't have a problem with it, but if not, we should be prepared to work 
through tracking them down.

I'm not entirely happy with the current implementation, FWIW.  I'd like 
can_hardlink to be implemented in the per file system code, possibly by 
invoking a common routine of this sort, avoiding the extra call to 
VOP_GETATTR(), and allowing file systems not implementing ownership in 
traditional ways (msdosfs, etc) to do whatever makes sense in their context. 
On the whole, these sorts of decisions are made in each file system, often 
using common code (perhaps centralized), and not at the VFS layer.

Robert N M Watson
Computer Laboratory
University of Cambridge