Re: hardlinks to setuid binaries

To: Taylor R Campbell <campbell+netbsd-tech-security%mumble.net@localhost>
Subject: Re: hardlinks to setuid binaries
From: David Sainty <david.sainty%gmail.com@localhost>
Date: Sun, 27 Mar 2022 00:45:21 +1300

On Sun, 27 Mar 2022 at 00:19, Taylor R Campbell
<campbell+netbsd-tech-security%mumble.net@localhost> wrote:
>
> Here's some conditions we could apply to making hard links:
>
> 1. [zfs] Caller must own file.
>
> 2. [linux with protected_hardlinks] Either:
>    (a) Caller must own file.
>    (b) File must be regular and non-suid/sgid, and caller must have
>        read&write access.
>
> 3. [least restrictive I could think of to prevent this attack] Either:
>    (a) If suid, caller must own file.
>    (b) If sgid, caller must be in group.
>
> If we apply conditions, I think we should apply them uniformly across
> file systems.

The Linux way is really annoying when wanting to create a link farm of
files that by design shouldn't be writable.  I find myself turning the
entire control off, which in turn means the security advantage
vanishes.

I like #3 for that reason, because being able to link to a non-setuid
file is a useful thing.

I think 3b makes sense, but I could also imagine maybe owning the file
as the condition for both setgid and setuid could also make sense.

References:
- hardlinks to setuid binaries
  - From: Jan Schaumann
- Re: hardlinks to setuid binaries
  - From: Taylor R Campbell

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index