Bug#609455: linux-2.6: block hardlinks to non-accessible sources
Package: linux-2.6
Severity: wishlist
Tags: patch
An indirect security problem in many linux systems is that a user can generate hardlinks to files that he may not write. I suggest adding a patch [1] to Debians kernel which adds a sysctl configuration option to forbid such hardlinks. This option should default to "allow" so that the default behaviour does not change.
This patch will protect against the following security problems when activated:
One scenario that is described in [2] is that a user creates a hardlink to a suid-root binary, e.g. /bin/bash, inside his home directory and asks the administrator to fix the permissions in this directory. The administrator will probably run chmod -R u+w,g+w and chown -R user:usergroup. Now the user is the owner of /bin/bash and can quickly become root.
A rather simple case would be flooding /tmp/ with hardlinks to root-owned files. Even if the user is limited to a certain number of files, this will not be counted on his quota.
If the patch is activated, there are only few negative side effects:
It violates POSIX specifications and might break unknown, possibly insecure, applications.
BTW, Ubuntu has this patch enabled by default, so it can't be too bad.
Thanks
Max Gaukler
[1] https://lists.ubuntu.com/archives/kernel-team/2010-May/010495.html
[2] http://books.google.com/books?id=x3jWs7735WgC&lpg=PA107&ots=JQDfr2tCV2&dq=hardlink%20owner&hl=de&pg=PA107#v=onepage&q=hardlink%20owner&f=false
Reply to: