Is there a reason we do not turn on the file system hardlink/symlink protection in Rawhide?
Michael Scherer
misc at zarb.org
Sun Mar 24 14:40:35 UTC 2013
Le dimanche 24 mars 2013 à 09:05 -0400, Nico Kadel-Garcia a écrit :
> On Sat, Mar 23, 2013 at 11:08 PM, Kevin Kofler <kevin.kofler at chello.at> wrote:
> > Miloslav Trmač wrote:
> >> BTW determining this accurately should be fairly doable[1]. Just look
> >> for symlink() and link() calls (and recursively through wrapper APIs /
> >> language bindings). These syscalls are fairly rare.
> >
> > That checks for PROGRAMS which run into this. It catches neither admin's
> > custom scripts nor ln commands run directly by the users. Who knows on how
> > many machines manually created symlinks point to inodes owned by different
> > users?
>
> For example, I've been known to link /sbin programs to $HOME/bin/. on
> hosts I use and do not have root access on, so that "traceroute" iour
> "chkconfig" or the "hardlink" program are always avaialble. The
> decision to leave "/sbin" out of the default PATH except for root
> users has created many interesting such situations.
You can also just fix the path for your user.
> This is especially
> true in environments where commercial or experimental versions of gcc
> or Java are instlled in /usr/local/gcc or /usr/local/java or
> /opt/[package] on some hosts and not others, and need to be activated
> on a user-by-user basis.
Unless your $HOME/bin is using a sticky bit and is world writable
like /tmp, this will change nothing for you.
See
http://users.sosdg.org/~qiyong/lxr/source/Documentation/sysctl/fs.txt#L160 for more information.
Also, for the record, Debian also enable it for the next stable
release :
http://womble.decadent.org.uk/blog/whats-in-the-linux-kernel-for-debian-70-wheezy-part-1.html
( along other interesting things, like disable autoloading for seldomly
used network protocols )
--
Michael Scherer
More information about the devel
mailing list