[1278] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Re: t bit and symli

daemon@ATHENA.MIT.EDU (Miller, Raul D.)
Wed Oct 30 13:05:35 1996

From: "Miller, Raul D." <RDMiller@legislate.com>
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 28 Oct 96 12:44:00 PST

Wietse Venema (Oct 24):
>   To keep semantics simple, I suggest the principle of least surprise:
>   1) don't allow the creation of hard links that the process can't
>   remove, and 2) don't follow symlinks that the process doesn't own.
>
>   1) can be overruled when the process has superuser privilege; 2) can be
>   overruled when the symlink is owned by the superuser or when the
>   symlink is owned by the owner of its (source) directory.

(A) As has been mentioned before, if any of this done, it has to be 
configurable -- it's non-standard, and might break existing code.

(B) As has been mentioned before, the semantics of rename prevent (1) from 
being useful.  Making rename non-atomic would break the reliability of code 
which relies on this being an atomic operation.  Because of this complexity, 
I don't think (1) is on the right track.

(C) Rule (2) is overly restrictive, but is close to a good idea. 

The right thing to do is probably the rule of least privilege -- when 
following symlinks, drop any user privileges so that they do not exceed the 
access privileges of the owner (and group) of the intervening symlink(s).  
This might be non-standard, but it "feels right" to me.  [Of course, this 
would not effect either the real or effective id for the case of suid or sgid 
programs -- though, conceivably, it might prevent them from being run.] 

-- 
Raul

home help back first fref pref prev next nref lref last post