atom feed11 messages in org.freebsd.freebsd-archdefault value of security.bsd.hardlin...
FromSent OnAttachments
Colin PercivalDec 30, 2006 10:08 pm 
Ceri DaviesDec 31, 2006 5:10 am 
Robert WatsonDec 31, 2006 7:36 am 
Robert WatsonDec 31, 2006 7:38 am 
Ceri DaviesDec 31, 2006 7:56 am 
Bruce EvansJan 1, 2007 2:06 am 
Robert WatsonJan 1, 2007 2:41 am 
Colin PercivalJan 1, 2007 8:54 pm 
Ceri DaviesJan 2, 2007 3:05 am 
Robert WatsonJan 2, 2007 3:07 pm 
Jon PasskiJan 6, 2007 8:44 am 
Subject:default value of security.bsd.hardlink_check_[ug]id
From:Ceri Davies (ce@submonkey.net)
Date:Dec 31, 2006 7:56:22 am
List:org.freebsd.freebsd-arch

On Sun, Dec 31, 2006 at 03:36:33PM +0000, Robert Watson wrote:

On Sat, 30 Dec 2006, Colin Percival wrote:

I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting with FreeBSD 7.x. This would make it impossible for a user to create a hard link to a file which he does not own.

Any objections?

I'm not opposed to this in principle (in fact, I think it's a good idea in principle), but I think it would make sense to evaluate what other operating systems are doing on this front. For example, I think Pawel recently mentioned that Sun has already made this change (or the equivilent in Solaris), but we should confirm that, and google to see if there have been many problems for Solaris users.

Solaris 10 definitely hasn't done this. The ability to create hard links to file that you do not own is controlled by the file_link_any privilege which is in the basic set, the basic set being defined as "what unprivileged processes could do before we introduced privileges(5)". Of course, you can configure Solaris such that unprivileged processes get a subset of the basic set by default (via policy.conf), but that isn't how it comes out of the box.

The current OpenSolaris code base hasn't changed this either; see src/uts/common/os/priv_defs.

Ceri

-- That must be wonderful! I don't understand it at all. -- Moliere