Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S263803AbTKXRfu (ORCPT ); Mon, 24 Nov 2003 12:35:50 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S263806AbTKXRfu (ORCPT ); Mon, 24 Nov 2003 12:35:50 -0500 Received: from mail.jlokier.co.uk ([81.29.64.88]:3968 "EHLO mail.shareable.org") by vger.kernel.org with ESMTP id S263803AbTKXRft (ORCPT ); Mon, 24 Nov 2003 12:35:49 -0500 Date: Mon, 24 Nov 2003 17:35:27 +0000 From: Jamie Lokier To: "Richard B. Johnson" Cc: Jakob Lell , linux-kernel@vger.kernel.org Subject: Re: hard links create local DoS vulnerability and security problems Message-ID: <20031124173527.GA1561@mail.shareable.org> References: <200311241736.23824.jlell@JakobLell.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1839 Lines: 44 Richard B. Johnson wrote: > To prevent this, a user can set his default permissions so that > neither group nor world can read the files. This is usually done > by setting the attributes in the user's top directory. Correct, but the quota problem is genuine: what if I want to create a lot of files in /home/jamie that are readable by other users, but I want to be able to delete them at some later time and reuse my quota for something else? This is quite a normal scenario on multi-user systems with quotas. You seem to be suggesting that the only method is to have a separate partition for each user, which is absurd. Another method is "tree quotas" which have come up on this list before. Hopefully they will be included one day; tree quotas seem like they would solve this problem and some others. > A setuid binary created with a hard-link will only work as a setuid > binary if the directory it's in is owned by root. That isn't true. > If you have users that can create files or hard-links within such > directories, you have users who either know the root password > already or have used some exploit to become root. In any case, it's > not a hard-link problem /tmp is owned by root and anyone can create a hard link in /tmp to other files, on a system where /tmp doesn't have its own filesystem. > No. Users must be able to create hard links to files that belong > to somebody else if they are readable. It's a requirement. I disagree. The ability to create files and declare that someone else can't hard link to them would be useful in a multi-user environment. -- Jamie - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/