Re: Proposal: restrict link(2)

Paul Slootman (
Mon, 16 Dec 1996 18:31:52 GMT

Dan Merillat <> wrote:
>harik@chaos:~$ ls -alt ~/hidden
>total 12
>drwx------ 2 harik admin 1024 Dec 13 14:51 .
>-rwxrwxrwx 1 harik admin 1240 Dec 13 14:51 mycreditcards
>drwxr-xr-t 47 harik admin 9216 Dec 13 14:50 ..
>Would you say that the file is worldreadable? worldwritable? No, because
>the permissions on the file are the SUM of the permissons of the file and
>the directory...
>So a hard link outside of this directory WOULD change the permissions...
>not on the inode, but it changes the ability to access the file.
>Granted, nobody would be stupid enough to make their credit card numbers
>world writable, but the example holds. hard links can change the ability
>to access a file WITHOUT the owner's permission or knowledge.

How do you suggest the hard link to the file in your example is made?
Another user cannot make a hard link to the file "mycreditcards",
because they cannot get to that file through the ~/hidden directory;
it has all permissions off for group and others.

Of course, if you make the link yourself... But that defeats the purpose
of this thread.

>For a more applicable example:
>/usr/sbin/admin is a directory that only people in group admin can access.
>inside are user modification tools, suid root, executable by group user-adm.
>Therefore, the permission to modify a user is dependant on being in both
>group admin and user-adm. Why two levels? Because on any heirarchy there
>are going to be groups of administration that overlap.
>Makes sense right? Except having any directory on the
>same partition as /usr/sbin/admin writable by group admin destroys the
>entire scheme. And that's not something that many people realise.

Wrong again. You say yourself that the directory /usr/sbin/admin is
only accessible to people in group admin. Suppose you're a non-admin
user. Please explain how you are going to make a link to any file in
the /usr/sbin/admin directory? Assume for this example that /usr/sbin/admin
is on the same file system as /usr/tmp.


>I'm not talking about hiding data. I'm saying that the lifespan of
>a file is something that only the owner should be able to modify.

No, that would mean that no one besides the owner could delete the
file, even if it is in a group-shared directory, for example. That's
not useful.

I think you mean "the lifespan of a file is something that only the
owner should be able to _lengthen_". This is a subtle difference,
of course.