Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Oct 1997 17:26:08 +0000 (GMT)
From:      Terry Lambert <tlambert@primenet.com>
To:        guido@gvr.org (Guido van Rooij)
Cc:        roberto@keltia.freenix.fr, freebsd-fs@FreeBSD.ORG
Subject:   Re: disabled symlinks
Message-ID:  <199710271726.KAA13912@usr01.primenet.com>
In-Reply-To: <199710270752.IAA17352@gvr.gvr.org> from "Guido van Rooij" at Oct 27, 97 08:52:41 am
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > The nosymlink flag do not allow the creation of a symlink
> > > on the mounted file system.
> > 
> > Could you please modify your patch not to _follow_ symlinks in order to
> > disallow all symlinks in a given FS ?
> > 
> > I think that mounting "nosymlinks" should mean "no symlinks whatsoever".
> 
> In fact, perhaps this is more what you want then to disallow creation.
> That would also be more in lie with nosuid. Creation of these files is okay, 
> but the s{u,g}id bits are not honoured.

I disagree.  If you disallow creation of links, then the only way
links could exist is if they were put there before the mount option
was specified -- ie: by the system administrator.

In fact, I would prefer he modify the patch to still allow root to
create symlinks.

The danger you are escaping is symlinks created by your users.

Personally, I'd prefer that the security holes be closed instead of
worked around in this manner anyway, but if you are adding an option
as administrative fiat, then it ought to respect the administrator.

As far as "nosuid" goes, I will note that if root runs a program on
a nosuid mounted volume, the program runs as root.  And root can also
"suid" to any user id, and run the program, simulating an "suid" event.

So if the intent is to make it act like "nosuid", then it should only
affect creation, and being root should override the option (ie: root
can still create symlinks).


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710271726.KAA13912>