tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: hardlinks to setuid binaries



On Mon, Mar 28, 2022 at 1:35 PM David Holland
<dholland-security%netbsd.org@localhost> wrote:
> Plenty of compat issues to figure out before trying to deploy either,
> though.
>
> (though I don't see where even the setuid flag interferes with
> updating base and in pkgsrc it'll only interfere with the small number
> of packages that build in destdir but not user-destdir mode)

For simplified storage management, I typically put home in a /usr
partition and symlink it from the root partition, and allocate typical
/tmp and /var partitions, separate from root. That obviously exposes
me to the potential of user hardlinked vulnerable suid binaries.

For all of the solutions discussed the consequences don't seem
to outway administratively separating user writable partitions, ie
(my) practice change but no implementation change.

However, an audit of package hardlink count, warning on check,
block on upgrade (without --force), to facilitate finding extra links,
seems like a low cost sanity check?

-George

-- 
George Georgalis, (415) 894-2710, http://www.galis.org/


Home | Main Index | Thread Index | Old Index