Proposal: restrict link(2)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Andreas Schwab: "Re: POSIX compatibility?"
• Previous message: Ulrich Windl: "Re: Linux kernel file name"
• Next in thread: Hubert Mantel: "Re: Proposal: restrict link(2)"
• Reply: Hubert Mantel: "Re: Proposal: restrict link(2)"
• Reply: Harald Koenig: "Re: Proposal: restrict link(2)"
• Reply: Stuart Auchterlonie: "Re: Proposal: restrict link(2)"
• Maybe reply: Matthias Urlichs: "Re: Proposal: restrict link(2)"
• Maybe reply: Adam D. Bradley: "Re: Proposal: restrict link(2)"
• Maybe reply: Chris Adams: "Re: Proposal: restrict link(2)"
• Maybe reply: Neil Moore: "Re: Proposal: restrict link(2)"
• Maybe reply: Jan Klabacka: "Re: Proposal: restrict link(2)"
• Maybe reply: rdm@tad.micro.umn.edu: "Re: Proposal: restrict link(2)"
• Maybe reply: Cameron MacKinnon: "Re: Proposal: restrict link(2)"
• Maybe reply: Aaron Denney: "Re: Proposal: restrict link(2)"
• Maybe reply: Michael Elizabeth Chastain: "Re: Proposal: restrict link(2)"
• Maybe reply: Albert Cahalan: "Re: Proposal: restrict link(2)"
• Maybe reply: Paul Slootman: "Re: Proposal: restrict link(2)"
• Maybe reply: Paul Flinders: "Re: Proposal: restrict link(2)"
• Maybe reply: Kris Karas: "Re: Proposal: restrict link(2)"

However, there are also many things which can go wrong with publically
writable directories, such as /tmp, when hard links are employed.

Consider a (questionable) root-owned program which does a
chown("/tmp/foo", uid, gid), with the sticky bit set on /tmp.

If /tmp/foo is a symbolic link to /etc/passwd, all is well with Linux -
it changes the ownership of the symbolic link (which is meaningless in
most cases), and /etc/passwd still belongs to root.

If, however, /tmp/foo is a HARD link to /etc/passwd, chown("/tmp/foo",
uid, gid) will lead to the user owning /etc/passwd - not a desirable
thing, in general.

My proposal would be to disallow linking a file into a directory which
has the sticky bit set unless the owner of the file is attempting this.
In other words, Joe Random Cracker can't do a 'ln /etc/passwd /tmp/foo'
beforehand.

Comments?

-- 
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.

• Next message: Andreas Schwab: "Re: POSIX compatibility?"
• Previous message: Ulrich Windl: "Re: Linux kernel file name"
• Next in thread: Hubert Mantel: "Re: Proposal: restrict link(2)"
• Reply: Hubert Mantel: "Re: Proposal: restrict link(2)"
• Reply: Harald Koenig: "Re: Proposal: restrict link(2)"
• Reply: Stuart Auchterlonie: "Re: Proposal: restrict link(2)"
• Maybe reply: Matthias Urlichs: "Re: Proposal: restrict link(2)"
• Maybe reply: Adam D. Bradley: "Re: Proposal: restrict link(2)"
• Maybe reply: Chris Adams: "Re: Proposal: restrict link(2)"
• Maybe reply: Neil Moore: "Re: Proposal: restrict link(2)"
• Maybe reply: Jan Klabacka: "Re: Proposal: restrict link(2)"
• Maybe reply: rdm@tad.micro.umn.edu: "Re: Proposal: restrict link(2)"
• Maybe reply: Cameron MacKinnon: "Re: Proposal: restrict link(2)"
• Maybe reply: Aaron Denney: "Re: Proposal: restrict link(2)"
• Maybe reply: Michael Elizabeth Chastain: "Re: Proposal: restrict link(2)"
• Maybe reply: Albert Cahalan: "Re: Proposal: restrict link(2)"
• Maybe reply: Paul Slootman: "Re: Proposal: restrict link(2)"
• Maybe reply: Paul Flinders: "Re: Proposal: restrict link(2)"
• Maybe reply: Kris Karas: "Re: Proposal: restrict link(2)"