[1268] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Re: t bit and symlinks patch

daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Fri Oct 25 08:55:49 1996

Date: Thu, 24 Oct 1996 14:21:06 -0400
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Andrew.Tridgell@anu.edu.au
Cc: linux-security@tarsier.cv.nrao.edu, wietse@wzv.win.tue.nl
In-Reply-To: Andrew Tridgell's message of Mon, 21 Oct 1996 23:51:07 +1000,
	<96Oct21.235109+1000est.65060-27084+2445@arvidsjaur.anu.edu.au>

   From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
   Date: 	Mon, 21 Oct 1996 23:51:07 +1000

   As far as configurability, I'd like to see these changes become the
   default, just like the changes that were made to eliminate setuid
   shell scripts, and the ones that drop source routed IP packets. I
   think these changes are of a quite different nature to the nosuid and
   noexec options, as those options would break the average linux system
   if they were on by default, whereas the proposed symlink and link
   changes should not be noticed on the vast majority of systems.

The problem with making these changes be there by default is that Linux
would then be in violation of POSIX.1 "by default".  This is a bad
thing, for a number of reasons.

Ultimately, the wise application programmer should be fixing their
programs to not have these problems.  

While I can see how this non-standard behavior you are suggesting might
be useful on time-sharing machines, because of the POSIX.1 issues I
think it has to be configurable.  Personally, the way I keep my Linux
machine secure is to make sure no-one other than myself can get a shell
into it.  There are an awfully large number of holes that one would have
to close before it was impossible for someone with a user shell to gain
root access.  We should try to close them off, but being realistic,
there'll always be one more way in....

						- Ted

home help back first fref pref prev next nref lref last post