From owner-freebsd-arch@FreeBSD.ORG Sun Dec 31 15:36:34 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B92616A40F; Sun, 31 Dec 2006 15:36:34 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1E8C213C457; Sun, 31 Dec 2006 15:36:34 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 97B02487F1; Sun, 31 Dec 2006 10:36:33 -0500 (EST) Date: Sun, 31 Dec 2006 15:36:33 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Colin Percival In-Reply-To: <459745DA.1010801@freebsd.org> Message-ID: <20061231153329.Y8131@fledge.watson.org> References: <459745DA.1010801@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "freebsd-arch@freebsd.org" Subject: Re: default value of security.bsd.hardlink_check_[ug]id X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 15:36:34 -0000 On Sat, 30 Dec 2006, Colin Percival wrote: > I'd like to make security.bsd.hardlink_check_[ug]id default to 1, starting > with FreeBSD 7.x. This would make it impossible for a user to create a hard > link to a file which he does not own. > > Any objections? I'm not opposed to this in principle (in fact, I think it's a good idea in principle), but I think it would make sense to evaluate what other operating systems are doing on this front. For example, I think Pawel recently mentioned that Sun has already made this change (or the equivilent in Solaris), but we should confirm that, and google to see if there have been many problems for Solaris users. Likewise, have similar changes been made in Linux or the hardened Linux distributions, and what sorts of problems have been reported? If it's widespread then it's likely most major applications won't have a problem with it, but if not, we should be prepared to work through tracking them down. I'm not entirely happy with the current implementation, FWIW. I'd like can_hardlink to be implemented in the per file system code, possibly by invoking a common routine of this sort, avoiding the extra call to VOP_GETATTR(), and allowing file systems not implementing ownership in traditional ways (msdosfs, etc) to do whatever makes sense in their context. On the whole, these sorts of decisions are made in each file system, often using common code (perhaps centralized), and not at the VFS layer. Robert N M Watson Computer Laboratory University of Cambridge