default value of security.bsd.hardlink_check_[ug]id
Robert Watson
rwatson at FreeBSD.org
Mon Jan 1 02:41:34 PST 2007
On Mon, 1 Jan 2007, Bruce Evans wrote:
> On Sun, 31 Dec 2006, Robert Watson wrote:
>
>> I'm not entirely happy with the current implementation, FWIW. I'd like
>> can_hardlink to be implemented in the per file system code, possibly by
>> invoking a common routine of this sort, avoiding the extra call to
>> VOP_GETATTR(), and allowing file systems not implementing ownership in
>> traditional ways (msdosfs, etc) to do whatever makes sense in their
>> context. On the whole, these sorts of decisions are made in each file
>> system, often using common code (perhaps centralized), and not at the VFS
>> layer.
>
> I think it also has wrong semantics. It denies privilege based on
> non-ownership, while everything that uses vaccess() grants privilege based
> on ownership. This gives the surprising behaviour that if
> hardlink_check_gid = 1, the owner of a file can do anything to the file
> except link to it in cases where the group of the file isn't in the caller's
> group list (and no immutable but is set).
Yes, I think you're right. Per our earlier thread on the structure of
privilege checks on arch@, security checks generally shold look something like
this:
error = dac_check(cred, object);
if (error) {
error = priv_check(cred, privilege);
if (error)
return (error);
}
The requirement for ownership or privilege for linking is part of the DAC
check in this structure. Operations seem to fall down into three categories:
- Operations always requiring privilege.
- Operations requiring ownership or privilege.
- Operations requiring rights be granted via the ACL or privilege.
There may be a few edge cases requiring ownership, ACL, or privilege, but
these may also be bugs. I think we should always allow linking rights for the
owner and for privilege, and optionally also for the group or everyone. So
perhaps we want a linking mib entry that selects one of the following "levels"
for hard linking:
- Privilege required.
- Ownership or privilege required.
- Matching group or ownership or privilege required.
- Allowed for everyone.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-arch
mailing list