In compliance with POSIX.1-2008, linkat() allows creating hard links to symlinks. This means that it is a much worse idea to trust a symlink just because it is owned by a trusted user (if it is in a directory writable by other users). Security issues like http://archives.neohapsis.com/archives/postfix/2008-08/0391.html now affect FreeBSD 8 local filesystems as well. Given that Linux and Solaris have allowed this for a long time, I think this functionality should remain, but it should probably be mentioned in the release notes. The security.bsd.hardlink_check_uid sysctl can be used to avoid vulnerabilities. By the way, the man page erroneously says the AT_SYMLINK_NOFOLLOW flag should be set to have linkat() follow symlinks. The standard and the implementation are correct, AT_SYMLINK_FOLLOW; the AT_SYMLINK_NOFOLLOW flag is not valid for this function. Note that the link command and the link() function always follow symlinks (this is POSIX.1-2001 and POSIX.1-2008 compliant), and the ln command will not create hard links to symlinks either. Hence, people may think it is not possible (the check in the Postfix advisory will not detect FreeBSD 8's capability). I have a patch to add the POSIX.1-2008 -L and -P options to ln, making it possible to choose the desired behaviour (follow/don't follow symlinks). I think this is too late for 8.0, however. -- Jilles TjoelkerReceived on Fri Jul 17 2009 - 08:34:40 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:52 UTC