> I have some security proposal. Hardlinks in given filesystem
> can created by any user. Well known hardlink attack ($ ln
> /etc/passwd ~/.somestuff; # chown user /home/user -R; $ vi
> ~/.somestuff) now maybe done by any user.
Except for the chown part, which must be done by root, as you
have hinted with the # prompt.
> Any sysadmin can't remember all her security "holes" (i.e.
> some chown user.group ... -R in system crontabs).
'chown -R user /home/user' is something an administrator
should NOT do. It is an anti-security measure to give away
files to a user. The fact that a file (i.e. *one* of the 1-N
links to it) happens to reside in the home directory of the
user doesn't change the issue a bit.
If you need to remap NFS-mounted files, do it selectively
based on a uid->uid mapping, not based on which directory
containing a link to the file your tool happens to hit first.
> _CHECK_ permissions for files before make hardlink. If this
> conflicts with some standards, maybe needed to make this
> configurable.
I'm sure it conflicts with quite a lot of standards, because
it conflicts very fundamentally with the way UNIX handles
files.
Is there nobody out there anymore that understands the beauty
of the UNIX file systems, how the flat files are separated
from the hierachical directory entries pointing to them. A
file with just one link is as much "hard-linked" as a file
with several links. An "N-link" file is no more a special
case than a one-link file. Hard links are completely
symmetrical. A file can even have zero links, in case a
process holds it open after unlinking it.
I think one of the biggest mistakes in the history of UNIX was
to call symbolic links "links". The word "pointer" would have
been more appropriate. Symbolic links are asymmetrical --
there is a master file and the links point to it.
Sigh. Maybe I've been using Unix too long. Should I grow a
beard or something?
-- Johan Myreen jem@iki.fi