Re: hardlinks to setuid binaries

To: tech-security%netbsd.org@localhost
Subject: Re: hardlinks to setuid binaries
From: Jan Schaumann <jschauma%netmeister.org@localhost>
Date: Sat, 26 Mar 2022 11:52:07 -0400

Taylor R Campbell <campbell+netbsd-tech-security%mumble.net@localhost> wrote:
> Here's some conditions we could apply to making hard links:

> 3. [least restrictive I could think of to prevent this attack] Either:
>    (a) If suid, caller must own file.
>    (b) If sgid, caller must be in group.

Yeah, I think this is what I'd have in mind.  Possibly
guarded with a sysctl and tied to securelevel.

FreeBSD has security.bsd.hardlink_check_[ug]id:
https://lists.freebsd.org/pipermail/freebsd-security/2004-March/001703.html

So we could:

- by default, set security.bsd.hardlink_check_[u]gid = 1
  with the same semantics as in FreeBSD
- in securelevel = 2 (1?),
  security.bsd.hardlink_check_[ug]id cannot be changed

> If we apply conditions, I think we should apply them uniformly across
> file systems.

Yes, agreed.

-Jan

References:
- hardlinks to setuid binaries
  - From: Jan Schaumann
- Re: hardlinks to setuid binaries
  - From: Taylor R Campbell

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index