[1261] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Re: t bit and symlinks patch

daemon@ATHENA.MIT.EDU (Wietse Venema)
Thu Oct 24 20:07:27 1996

From: wietse@wzv.win.tue.nl (Wietse Venema)
To: tridge@arvidsjaur.anu.edu.au (Andrew Tridgell)
Date: Tue, 22 Oct 96 10:30:24 MET DST
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <96Oct22.090144+1000est.65092-27084+2569@arvidsjaur.anu.edu.au>; from "Andrew Tridgell" at Oct 22, 96 9:01 am

Wietse wrote:
> Hard links, soft links, either is sufficient to attack sensitive files
> by exploiting naive programs, but the `t' bit is not a requirement at

Andrew Tridgell wrote:
[Using the `t' bit as a way of requesting less insecure behavior]

OK, "do what I mean" semantics can make sense (this is like mounting a
file system `nosuid' in order to also disable device special files).

To keep semantics simple, I suggest the principle of least surprise:
1) don't allow the creation of hard links that the process can't
remove, and 2) don't follow symlinks that the process doesn't own.

1) can be overruled when the process has superuser privilege; 2) can be
overruled when the symlink is owned by the superuser or when the
symlink is owned by the owner of its (source) directory.

I'll resist the temptation to propose changes to the semantics of
following symlinks in general. :-)

	Wietse

home help back first fref pref prev next nref lref last post