Re: Hard link creation witout write access

[Mateusz Kocielski <shm%digitalsun.pl@localhost>]

Dnia Thu, Sep 07, 2023 at 12:13:22PM +0000, Taylor R Campbell napisał(a):
> > Date: Thu, 7 Sep 2023 07:46:48 -0400 (EDT)
> > From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
> > 
> > > Today I learned that you can create hard links to a file you don't
> > > own and can't write to or even read from:
> > 
> > > $ su -l root -c 'touch /tmp/foo && chmod 600 /tmp/foo'
> > > $ ln /tmp/foo /tmp/bar
> > 
> > > This strikes me as bonkers and a likely source of security issues.
> > 
> > What issues?  The only one I can see is that it allows anyone who can
> > write to any directory on that filesystem to cause the file to stick
> > around after its original name is unlinked.  That strikes me as a
> > non-hazard.
> > 
> > Do you see potential damage from that, or do you see some additional
> > threat?
> 
> Requires extra care to prevent things like this:
> 
> ln /etc/motd /var/mail/mouse
> echo hello world | mail.local mouse
> 
> It's surprising to me that you can modify a file -- changing its link
> count, even if you don't consider creating another (non-symbolic)
> directory link pointing to it to be modifying it -- that you don't own
> and don't have write access to.  Things that are surprising like that
> are likely sources of security issues.
> 
> What's a _legitimate_ use case for this that can't be done with
> symlinks?

I want to add 2 cents here to avoid confusion. Our mail.local(8) checks if
number of links to the mbox file is 1 and refuses to continue if it's not the
case. I used somewhere else the above example to show why counting links
performed by the mail.local(8) is important.

 Regards,
 Mateusz