tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Hard link creation witout write access
[trimming tech-userlevel and tech-kern from cc list to avoid
cross-posting the entire thread]
> Date: Thu, 7 Sep 2023 11:53:56 +0000 (UTC)
> From: RVP <rvp%SDF.ORG@localhost>
>
> On Thu, 7 Sep 2023, Taylor R Campbell wrote:
>
> > I think we should have these knobs on by default, but of course in
> > principle that might break existing configurations. So maybe we could
> > put it in the default /etc/sysctl.conf -- that way you only get it on
> > upgrade if you merge updates to /etc.
>
> I played with this after christos@ added the knobs last year[1], and then
> sort(1) broke badly. See PR 56775. Expect further squalls if this is turned
> on by default.
That suggests the semantics we've implemented for the sysctl knobs is
not quite right:
if (hardlink_check_uid && kauth_cred_geteuid(cred) != va.va_uid)
goto checkroot;
if (hardlink_check_gid && kauth_cred_groupmember(cred, va.va_gid) != 0)
goto checkroot;
It seems to me the rule should be:
1. If you own the file you can make hard links.
2. If you are in the file's group and the file is group-writable you
can make hard links.
3. Maybe if the file is other-writable you can make hard links.
The problem with sort in /tmp is that hardlink_check_gid requires you
to be in the file's group _even if you own the file_, which is also a
bonkers restriction.
Home |
Main Index |
Thread Index |
Old Index