tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Hard link creation witout write access



Taylor R Campbell <riastradh%NetBSD.org@localhost> writes:

>> The implementation may require that the calling process has
>> permission to access the existing file.
>>
>> https://pubs.opengroup.org/onlinepubs/9699919799/functions/link.html
>
> So this behaviour is allowed by POSIX but it would also be allowed to
> make this fail with EACCES.  Unclear whether POSIX means ownership,
> group membership, write access, or read access, but unless a POSIX
> language lawyer can cite chapter & verse for the specific definition
> of `has permission to access', I think this means the implementation
> is allowed to apply any of those access rules?
>
> Apparently we have sysctl knobs
>
> security.models.extensions.hardlink_check_uid
> security.models.extensions.hardlink_check_gid
>
> to prohibit this bonkers linking, by prohibiting anyone but the owner
> (hardlink_check_uid) or members of the group (hardlink_check_gid) from
> creating hard links.  But the knobs are off by default.

How about we add

  security.models.extensions.hardlink_require_access

and define as (uid match || writable), default off for now, and all the
people that want this change and enable it on all their production
systems and if there is no trouble we can just default it to on.  I
would rather do that more slowly than accumulate crud in sysctl.conf.

Or perhaps have people just check_uid and then turn that on by default
and call "owns" as good enough for "access".

I do not expect much to break.  But I am always surprised.



Home | Main Index | Thread Index | Old Index