Re: hardlinks to setuid binaries

To: George Georgalis <george%galis.org@localhost>, David Holland <dholland-security%netbsd.org@localhost>, tech-security%netbsd.org@localhost
Subject: Re: hardlinks to setuid binaries
From: Michael Richardson <mcr%sandelman.ca@localhost>
Date: Thu, 31 Mar 2022 12:58:02 -0400

George Georgalis <george%galis.org@localhost> wrote:
    > However, an audit of package hardlink count, warning on check,
    > block on upgrade (without --force), to facilitate finding extra links,
    > seems like a low cost sanity check?

It sure seems like it's the upgrade process that needs to care to remove
"old" suid bits on old executables.  Or alternatively, overwrite them without
changing the inode.  It's a tussle as to which is better.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr%sandelman.ca@localhost  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: hardlinks to setuid binaries
  - From: Steffen Nurpmeso

References:
- Re: hardlinks to setuid binaries
  - From: Joerg Sonnenberger
- re: hardlinks to setuid binaries
  - From: matthew green
- Re: hardlinks to setuid binaries
  - From: David Holland
- Re: hardlinks to setuid binaries
  - From: George Georgalis

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index