default value of security.bsd.hardlink_check_[ug]id

Robert Watson rwatson at FreeBSD.org
Mon Jan 1 02:41:34 PST 2007 

On Mon, 1 Jan 2007, Bruce Evans wrote:

> On Sun, 31 Dec 2006, Robert Watson wrote:
>
>> I'm not entirely happy with the current implementation, FWIW.  I'd like 
>> can_hardlink to be implemented in the per file system code, possibly by 
>> invoking a common routine of this sort, avoiding the extra call to 
>> VOP_GETATTR(), and allowing file systems not implementing ownership in 
>> traditional ways (msdosfs, etc) to do whatever makes sense in their 
>> context. On the whole, these sorts of decisions are made in each file 
>> system, often using common code (perhaps centralized), and not at the VFS 
>> layer.
>
> I think it also has wrong semantics.  It denies privilege based on 
> non-ownership, while everything that uses vaccess() grants privilege based 
> on ownership.  This gives the surprising behaviour that if 
> hardlink_check_gid = 1, the owner of a file can do anything to the file 
> except link to it in cases where the group of the file isn't in the caller's 
> group list (and no immutable but is set).

Yes, I think you're right.  Per our earlier thread on the structure of 
privilege checks on arch@, security checks generally shold look something like 
this:

error = dac_check(cred, object);
if (error) {
 	error = priv_check(cred, privilege);
 	if (error)
 		return (error);
}

The requirement for ownership or privilege for linking is part of the DAC 
check in this structure.  Operations seem to fall down into three categories:

- Operations always requiring privilege.

- Operations requiring ownership or privilege.

- Operations requiring rights be granted via the ACL or privilege.

There may be a few edge cases requiring ownership, ACL, or privilege, but 
these may also be bugs.  I think we should always allow linking rights for the 
owner and for privilege, and optionally also for the group or everyone.  So 
perhaps we want a linking mib entry that selects one of the following "levels" 
for hard linking:

- Privilege required.
- Ownership or privilege required.
- Matching group or ownership or privilege required.
- Allowed for everyone.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the freebsd-arch mailing list