On 2014-10-29 11:52:43 -0400, Robert Haas wrote:
> On Wed, Oct 29, 2014 at 11:34 AM, Stephen Frost <sfrost@snowman.net> wrote:
> > The specifics actually depend on (on Linux, at least) the value of
> > /proc/sys/fs/protected_hardlink, which has existed in upstream since 3.6
> > (not sure about the RHEL kernels, though I expect they've incorporated
> > it also at some point along the way).
> >
> > There is a similar /proc/sys/fs/protected_symlinks control for dealing
> > with the same kind of time-of-check / time-of-use issues that exist with
> > symlinks.
> >
> > At least on my Ubuntu 14.04 systems, these are both set to '1'.
>
> Playing devil's advocate here for a minute, you're saying that
> new-enough versions of Linux have an optional feature that prevents
> this attack. I think an argument could be made that this is basically
> unsecurable on any other platform, or even old Linux versions.
It's possible to do this securely by doing a fstat() and checking the
link count.
> And it
> still doesn't protect against the case where you hardlink to a file
> and then the permissions on that file are later changed.
Imo that's simply not a problem that we need to solve - it's much more
general and independent.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services