[aklug] Re: Strange hard linking

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Sun Nov 28 2010 - 08:56:09 AKST

On Sun, 28 Nov 2010, Christopher Howard wrote:

> The exact same command works fine on my system:
>
> cmhoward@enigma /tmp $ sudo touch woman
> cmhoward@enigma /tmp $ ln woman man
> cmhoward@enigma /tmp $ ls -l woman man
> -rw-r--r-- 2 root root 0 Nov 27 20:19 man
> -rw-r--r-- 2 root root 0 Nov 27 20:19 woman
>
> I'm running XFS file system on amd64 Gentoo (Gentoo-patched kernel 2.6.34-gentoo-r12).

I'm glad to see people testing theories, but I'm a bit surprised that this
thread has gone on this long. What you guys have been describing all along
is simple the default UNIX behavior since the inception of hard link
support. This is not a security issue, it's just how hard links work.

The rules are simple:

   1) If the effective user has write privileges to where you're making
      the link, he can make a link, however...
   2) Since all you're doing is adding another name by which the file can
      be accessed, the hard link keeps all original meta data. Note
      that this contrasts with a symbolic link because a symbolic link
      literally creates a new file. A hard link doesn't. In fact, you
      should note that all hard links and the original file share the exact
      same inode number.
   3) The user cannot make links to files whose meta data they can't read.
      This means that a file in root's home directory, for instance, is safe
      from having a link elsewhere by a non-root user.
   4) As always, hard links can't be made to directories or across file
      systems.

In short, hard links a very well documented and understood capabilities, and
there is no issue with how Linux implements it. For those of you with
distributions that put the entire OS and user space on one filesystem,
though, the onus is on *you* to make sure your filesystem is properly
secured, or you do run the risk of have some files preserved that you may
not want.

Remember rule #4. If you have a separate filesystem for /tmp and /home
(assuming those are the only mounts that have user-write privileges on them)
then there's no way hard links can be leveraged by the unprivileged to
preserve files in the OS. Of course, given that hard links don't change
privileges, anyway, and they can only be done to files with readable meta
data, it's not like you're exposing any information that isn't already
exposed.

So, this all winds down to the effective user privileges. You can make
links only to files whose meta data you can read, but only in directories on
the same filesystem where you have write privileges.

Let's call this UNIX/POSIX Filesystems 201. Purely academic and
intentional behavior..

         --Arthur Corliss
           Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Nov 28 08:56:20 2010

This archive was generated by hypermail 2.1.8 : Sun Nov 28 2010 - 08:56:20 AKST