Re: Proposal: restrict link(2)

Kai Henningsen (
15 Dec 1996 12:29:00 +0200 (Neil Moore) wrote on 13.12.96 in <>:

> it. Changing the kernel to get around userland bugs is a Bad
> Thing. Not only does it bloat the kernel, but it causes Linux
> programmers to assume that the files they are accessing will not
> be hard links to things they shouldn't be messing with -- which
> is okay, until the program runs under an earlier kernel, or gets
> ported to another Unix. When this happens, these assumptions
> blow up, and we end up with a program as buggy (on another oper-
> ating system) as the ones we are concerned about right now. All
> the broken userland programs need to be changed, *not* the kernel.

Here's another idea. It's probably not good enough as-is, but maybe
someone can improve it - or show why it is a dumb idea to begin with.

As I see it, the main problem is that everybody uses /tmp for temporary
files, including priviledged programs. That is, priviledged programs are
using a directory where every user can mess around.

Now, a priviledged program is a program running with root as one of its
various uids - or maybe (for an even stricter definition) also a program
running with two or more different uids.

Now, the idea - have a mount option that restricts priviledged programs
from using files in directories (like /tmp) that have the t bit set. (I
hope I'm not confusing those bits here ...)

This will force those programs to be rewritten to use safer areas for
their temp files.

Of course, as-is, this will break a lot of stuff, and not all of it stuff
that should break, for example:

* how would we clean out /tmp?
* root may have trouble reading mail, or using any odd program that does
temp files in /tmp - then again, those programs _are_ unsafe.

MfG Kai