hard links to symlinks
Jilles Tjoelker
jilles at stack.nl
Fri Jul 17 10:34:40 UTC 2009
In compliance with POSIX.1-2008, linkat() allows creating hard links to
symlinks. This means that it is a much worse idea to trust a symlink
just because it is owned by a trusted user (if it is in a directory
writable by other users). Security issues like
http://archives.neohapsis.com/archives/postfix/2008-08/0391.html now
affect FreeBSD 8 local filesystems as well.
Given that Linux and Solaris have allowed this for a long time, I think
this functionality should remain, but it should probably be mentioned in
the release notes. The security.bsd.hardlink_check_uid sysctl can be
used to avoid vulnerabilities.
By the way, the man page erroneously says the AT_SYMLINK_NOFOLLOW flag
should be set to have linkat() follow symlinks. The standard and the
implementation are correct, AT_SYMLINK_FOLLOW; the AT_SYMLINK_NOFOLLOW
flag is not valid for this function.
Note that the link command and the link() function always follow
symlinks (this is POSIX.1-2001 and POSIX.1-2008 compliant), and the ln
command will not create hard links to symlinks either. Hence, people may
think it is not possible (the check in the Postfix advisory will not
detect FreeBSD 8's capability).
I have a patch to add the POSIX.1-2008 -L and -P options to ln, making
it possible to choose the desired behaviour (follow/don't follow
symlinks). I think this is too late for 8.0, however.
--
Jilles Tjoelker
More information about the freebsd-current
mailing list