Re: default value of security.bsd.hardlink_check_[ug]id

On Sun, Dec 31, 2006 at 03:36:33PM +0000, Robert Watson wrote:
On Sat, 30 Dec 2006, Colin Percival wrote:

I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting
with FreeBSD 7.x. This would make it impossible for a user to create a
hard link to a file which he does not own.

Any objections?

I'm not opposed to this in principle (in fact, I think it's a good idea in
principle), but I think it would make sense to evaluate what other
operating systems are doing on this front. For example, I think Pawel
recently mentioned that Sun has already made this change (or the equivilent
in Solaris), but we should confirm that, and google to see if there have
been many problems for Solaris users.

Solaris 10 definitely hasn't done this. The ability to create hard
links to file that you do not own is controlled by the file_link_any
privilege which is in the basic set, the basic set being defined as
"what unprivileged processes could do before we introduced
privileges(5)". Of course, you can configure Solaris such that
unprivileged processes get a subset of the basic set by default (via
policy.conf), but that isn't how it comes out of the box.

The current OpenSolaris code base hasn't changed this either; see
src/uts/common/os/priv_defs.

Ceri
--
That must be wonderful! I don't understand it at all.
-- Moliere

Attachment: pgp4GQDkFNMpC.pgp
Description: PGP signature