Hard link creation witout write access

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

Today I learned that you can create hard links to a file you don't own
and can't write to or even read from:

$ su -l root -c 'touch /tmp/foo && chmod 600 /tmp/foo'
$ ln /tmp/foo /tmp/bar

This strikes me as bonkers and a likely source of security issues.

POSIX says:

> The implementation may require that the calling process has
> permission to access the existing file.
>
> https://pubs.opengroup.org/onlinepubs/9699919799/functions/link.html

So this behaviour is allowed by POSIX but it would also be allowed to
make this fail with EACCES.  Unclear whether POSIX means ownership,
group membership, write access, or read access, but unless a POSIX
language lawyer can cite chapter & verse for the specific definition
of `has permission to access', I think this means the implementation
is allowed to apply any of those access rules?

Apparently we have sysctl knobs

security.models.extensions.hardlink_check_uid
security.models.extensions.hardlink_check_gid

to prohibit this bonkers linking, by prohibiting anyone but the owner
(hardlink_check_uid) or members of the group (hardlink_check_gid) from
creating hard links.  But the knobs are off by default.

Linux has a knob fs.protected_hardlinks which, if set, requires the
user to own or have write access to the file.

I think we should have these knobs on by default, but of course in
principle that might break existing configurations.  So maybe we could
put it in the default /etc/sysctl.conf -- that way you only get it on
upgrade if you merge updates to /etc.

Thoughts?