Re: hardlinks to setuid binaries

To: Taylor R Campbell <campbell+netbsd-tech-security%mumble.net@localhost>
Subject: Re: hardlinks to setuid binaries
From: David Sainty <david.sainty%gmail.com@localhost>
Date: Sat, 26 Mar 2022 18:58:24 +1300

On Sat, 26 Mar 2022 at 12:00, Taylor R Campbell
<campbell+netbsd-tech-security%mumble.net@localhost> wrote:
>
> Maybe pkg_delete, and any tool to update base, should clear the
> suid/sgid bits first?  (Of course, if you clear the suid/sgid bit on
> /usr/bin/su and something goes wrong with the update, you might be in
> bad shape...)

If it's immediately prior to an unlink anyway that does seem like a
harmless enhancement.

> A heavier hammer, not requiring changes to pkg_delete or anything,
> would be to prohibit creating hard links to files with suid/sgid bits,
> and to prohibit setting the suid/sgid bits on files with >1 link.  But
> we'd have to think through the consequences -- e.g., that would rule
> out having a /rescue/su built with crunchgen like the rest of rescue
> (but that's not something we do at the moment anyway).  What else
> might rely on multiple links to a suid/sgid file?

Could do the hard links first, and the chmod u+s last :)

References:
- Re: hardlinks to setuid binaries
  - From: Jan Schaumann
- Re: hardlinks to setuid binaries
  - From: Taylor R Campbell

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index