Re: Proposal: restrict link(2)

Hubert Mantel (
Wed, 11 Dec 1996 11:07:35 +0100 (MET)


On Wed, 11 Dec 1996, Thomas Koenig wrote:

> The possiblities of playing around with symlinks in /tmp are well
> known and understood.
> However, there are also many things which can go wrong with publically
> writable directories, such as /tmp, when hard links are employed.
> Consider a (questionable) root-owned program which does a
> chown("/tmp/foo", uid, gid), with the sticky bit set on /tmp.
> If /tmp/foo is a symbolic link to /etc/passwd, all is well with Linux -
> it changes the ownership of the symbolic link (which is meaningless in
> most cases), and /etc/passwd still belongs to root.
> If, however, /tmp/foo is a HARD link to /etc/passwd, chown("/tmp/foo",
> uid, gid) will lead to the user owning /etc/passwd - not a desirable
> thing, in general.
> My proposal would be to disallow linking a file into a directory which
> has the sticky bit set unless the owner of the file is attempting this.
> In other words, Joe Random Cracker can't do a 'ln /etc/passwd /tmp/foo'
> beforehand.
> Comments?

I would not like to have /etc/passwd on the same file system as /tmp. I
think critical systems should have a really small root partition and
everything else should reside on separate partitions, so no hard linking
to the files mentioned is possible.

> Thomas Koenig,, ig25@dkauni2.bitnet.