[ale] security : options for restricting hard links?

J.M. Taylor jtaylor at onlinea.com
Wed Mar 12 09:58:57 EST 2003


Been googling all morning since a friend discovered that PHP's
open_basedir restrction does *not* apply to hard links, only symlinks,
which makes sense as PHP has no way of knowing that something is a hard
link.

The impact seems fairly minimal on a well-set-up machine, but it's caught
my attention as a potentially insidious problem that doesn't get mentioned
much (or at all??) in how-to-set-up-a-secure-webserver literature.

So I've been looking into restricting this and so far have found
suggestions for setting chattr flags (tested, don't work) and kernel
patches...but I have to admit having a box hosted elsewhere I'm a bit
leery of adding stuff to the kernel.  Openwall, at least, seems to be on
the right track but I want to *completely* prevent linking on a particular
file system (yes, I have good reasons), not just restrict to the right UID
or GID.

Suggestions? Do any of ya'll restrict link creation?  What do you use?

TIA
jenn

-- 
Jenn Taylor
Onlinea Software
jtaylor at onlinea.com
www.onlinea.com




_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list