Groups | Search | Server Info | Keyboard shortcuts | Login | Register
Groups > muc.lists.netbsd.tech.security > #242
| From | Crystal Kolipe <kolipe.c@exoticsilicon.com> |
|---|---|
| Newsgroups | muc.lists.netbsd.tech.security |
| Subject | Re: Hard link creation witout write access |
| Date | 2023-09-07 08:56 -0300 |
| Organization | Newsgate at muc.de e.V. |
| Message-ID | <ZPm6hCA8y0ODks2b@exoticsilicon.com> (permalink) |
| References | <20230907112542.4C70560A70@jupiter.mumble.net> |
On Thu, Sep 07, 2023 at 11:25:42AM +0000, Taylor R Campbell wrote: > Today I learned that you can create hard links to a file you don't own > and can't write to or even read from: > > $ su -l root -c 'touch /tmp/foo && chmod 600 /tmp/foo' > $ ln /tmp/foo /tmp/bar > > This strikes me as bonkers and a likely source of security issues. It was probably less of a concern in the past when the POSIX recommendations were made because BSD systems typically spread the principle directories out over various filesystems, and of course you can't hard-link across such different devices. So it certainly seems reasonable to re-visit it now that this is not the case and a regular user could more easily create unexpected hard links to system files. -- Posted automagically by a mail2news gateway at muc.de e.V. Please direct questions, flames, donations, etc. to news-admin@muc.de
Back to muc.lists.netbsd.tech.security | Previous | Next | Find similar
Re: Hard link creation witout write access Crystal Kolipe <kolipe.c@exoticsilicon.com> - 2023-09-07 08:56 -0300
csiph-web