Re: hardlinks to setuid binaries

To: Martin Husemann <martin%duskware.de@localhost>
Subject: Re: hardlinks to setuid binaries
From: Simon Burge <simonb%NetBSD.org@localhost>
Date: Sat, 26 Mar 2022 17:17:37 +1100

Martin Husemann wrote:

> On Fri, Mar 25, 2022 at 11:00:35PM +0000, Taylor R Campbell wrote:
> > A heavier hammer, not requiring changes to pkg_delete or anything,
> > would be to prohibit creating hard links to files with suid/sgid bits,
> > and to prohibit setting the suid/sgid bits on files with >1 link.

That would break at/atq/artm/batch, chfn/chpass/chsh, passwd/yppasswd
and sysstat/systat in our base system.

> Instead of prohibitting those, we could require them to be done by the suid
> owner or root.

I tried to reproduce this and got EOPNOTSUPP when linked to a normal
or setuid binary that I didn't own.  Then it occurred to me that the
behaviour might be filesystem-specific.  I tested on ZFS originally. I
tried on FFS and was able to hard link to files I don't own, setuid or
not.

I agree with Martin - it makes sense to me to forbid hard linking to
files that you don't own.  Not sure if we can do this at the VFS later
or need to do it per filesystem?

Does POSIX/SUSvN/other-random-specs have anything to say about this?

Cheers,
Simon.

References:
- Re: hardlinks to setuid binaries
  - From: Martin Husemann

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index