On Fri, Jul 17, 2009 at 12:34:38PM +0200, Jilles Tjoelker wrote: > In compliance with POSIX.1-2008, linkat() allows creating hard links to > symlinks. This means that it is a much worse idea to trust a symlink > just because it is owned by a trusted user (if it is in a directory > writable by other users). Security issues like > http://archives.neohapsis.com/archives/postfix/2008-08/0391.html now > affect FreeBSD 8 local filesystems as well. > > Given that Linux and Solaris have allowed this for a long time, I think > this functionality should remain, but it should probably be mentioned in > the release notes. The security.bsd.hardlink_check_uid sysctl can be > used to avoid vulnerabilities. > > By the way, the man page erroneously says the AT_SYMLINK_NOFOLLOW flag > should be set to have linkat() follow symlinks. The standard and the > implementation are correct, AT_SYMLINK_FOLLOW; the AT_SYMLINK_NOFOLLOW > flag is not valid for this function. Please commit the fix. > > Note that the link command and the link() function always follow > symlinks (this is POSIX.1-2001 and POSIX.1-2008 compliant), and the ln > command will not create hard links to symlinks either. Hence, people may > think it is not possible (the check in the Postfix advisory will not > detect FreeBSD 8's capability). > > I have a patch to add the POSIX.1-2008 -L and -P options to ln, making > it possible to choose the desired behaviour (follow/don't follow > symlinks). I think this is too late for 8.0, however. You can make it in before BETA3, in my opinion.
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:52 UTC