Re: hardlinks to setuid binaries

To: Michael Richardson <mcr%sandelman.ca@localhost>
Subject: Re: hardlinks to setuid binaries
From: Steffen Nurpmeso <steffen%sdaoden.eu@localhost>
Date: Thu, 31 Mar 2022 19:09:42 +0200

Michael Richardson wrote in
 <19821.1648745882@localhost>:
 |
 |George Georgalis <george%galis.org@localhost> wrote:
 |> However, an audit of package hardlink count, warning on check,
 |> block on upgrade (without --force), to facilitate finding extra links,
 |> seems like a low cost sanity check?
 |
 |It sure seems like it's the upgrade process that needs to care to remove
 |"old" suid bits on old executables.  Or alternatively, overwrite them \
 |without
 |changing the inode.  It's a tussle as to which is better.

Yes exactly.  Drop the stuff, then atomic rename.  What else
can it be to not have problems after the atomic rename.
Just to mention i have

  #?0|kent:~# sysctl fs.protected_regular fs.protected_fifos fs.protected_hardlinks fs.protected_symlinks
  fs.protected_regular = 2
  fs.protected_fifos = 2
  fs.protected_hardlinks = 1
  fs.protected_symlinks = 1

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Follow-Ups:
- Re: hardlinks to setuid binaries
  - From: George Georgalis

References:
- Re: hardlinks to setuid binaries
  - From: Joerg Sonnenberger
- re: hardlinks to setuid binaries
  - From: matthew green
- Re: hardlinks to setuid binaries
  - From: David Holland
- Re: hardlinks to setuid binaries
  - From: George Georgalis
- Re: hardlinks to setuid binaries
  - From: Michael Richardson

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index