Today I learned that you can create hard links to a file you don't own and can't write to or even read from:
$ su -l root -c 'touch /tmp/foo && chmod 600 /tmp/foo' $ ln /tmp/foo /tmp/bar This strikes me as bonkers and a likely source of security issues. POSIX says: > The implementation may require that the calling process has > permission to access the existing file. > > https://pubs.opengroup.org/onlinepubs/9699919799/functions/link.html So this behaviour is allowed by POSIX but it would also be allowed to make this fail with EACCES. Unclear whether POSIX means ownership, group membership, write access, or read access, but unless a POSIX language lawyer can cite chapter & verse for the specific definition of `has permission to access', I think this means the implementation is allowed to apply any of those access rules? Apparently we have sysctl knobs security.models.extensions.hardlink_check_uid security.models.extensions.hardlink_check_gid to prohibit this bonkers linking, by prohibiting anyone but the owner (hardlink_check_uid) or members of the group (hardlink_check_gid) from creating hard links. But the knobs are off by default. Linux has a knob fs.protected_hardlinks which, if set, requires the user to own or have write access to the file. I think we should have these knobs on by default, but of course in principle that might break existing configurations. So maybe we could put it in the default /etc/sysctl.conf -- that way you only get it on upgrade if you merge updates to /etc. Thoughts?