Subject: Re: kern/1043: unlink(2) should not let superuser remove directories
To: None <netbsd-bugs@NetBSD.ORG>
From: Ty Sarna <tsarna@endicor.com>
List: netbsd-bugs
Date: 05/16/1995 04:07:32
In article <199505151139.HAA01759@Collatz.McRCIM.McGill.EDU>,
der Mouse  <mouse@Collatz.McRCIM.McGill.EDU> wrote:
> I agree with that other person, who said that if such functionality is
> left in the kernel at all, it belongs in root-only syscalls linkdir()
> and unlinkdir(), not in link() and unlink().  I have a program that
> would really like to get EISDIR on an attempt to unlink() a directory,
> but has to make a second syscall first (a wasted syscall, most of the
> time) to avoid orphaning directories with unlink() if it's run by root.
> And I'm not sure it does belong in the kernel.

What about conditionalizing this and other potentially dangerous
functionality on a "kern.safety" sysctl that would normally default to
on, and would have to be turned off (only allowable in single-user mode,
perhaps?) to permit link/unlink of directories, etc. This would satisfy
both at the expense of YA variable. Perhaps other generally dangerous
funtionality could also be conditionalized by default, to make the
system safer by default than other systems, without giving up
flexibility.

Any other operations that could/should be controlled by such a setting
(and that are not already covered by securelevel?)