Tightening security: not for the impatient

Posted Jul 5, 2012 2:18 UTC (Thu) by kevinm (guest, #69913)
Parent article: Tightening security: not for the impatient

It's correct that the symlink behaviour change doesn't violate POSIX, because it's limited to directories with the sticky bit set and the sticky bit isn't specified by POSIX at all.

The hardlink behaviour change would though, unless it too is limited to directories with the sticky bit set - is that the case?

Tightening security: not for the impatient

Posted Jul 6, 2012 19:49 UTC (Fri) by mfedyk (guest, #55303) [Link] (1 responses)

Since most filesystems do not have a reverse reference from inode to dirents that point to them, you would either have to do a directory tree walk or hope it's already cached in the dcache, which would lead to immeasurable amounts of fun. That, or it would depend on which dirent was used to look up the inode.

No, this hard link change could not be related to directory sticky bit because multiple directories could point to the same inode (hard links).

That said, it would be acceptable IMO if it was activated with a mount option.

Tightening security: not for the impatient

Posted Jul 9, 2012 3:55 UTC (Mon) by kevinm (guest, #69913) [Link]

It's not the director(ies) where the current links are that matter, it's the directory where the new link is being created that should have to be sticky for the new rules to apply.

It even makes sense, because in a sticky directory you can create hardlinks that you can't then remove, but the same isn't true of nonsticky directories.

It's also unambiguous, and the destination directory of the link already has to be looked up to create the link.

Tightening security: not for the impatient

Posted Jul 11, 2012 21:31 UTC (Wed) by BenHutchings (subscriber, #37955) [Link]

POSIX also allows pretty much any operation to be denied due to security policy.