Hard links to directories: why not?

The Grey Wolf greywolf at unisoft.UUCP
Fri Jul 20 04:04:39 AEST 1990 

In article <1990Jul18.235607.19403 at virtech.uucp> cpcahil at virtech.UUCP (Conor P. Cahill) writes:
>In article <5222 at milton.u.washington.edu> wiml at milton.u.washington.edu (William Lewis) writes:
>>
>>   In the man entry for ln(1) (and for link(2)),  it says that
>>hard links may not be made to directories, unless the linker is
>>the super-user (in order to make '.' and '..', I suppose). My 
>>question is: why not? (and is there any reason that I, if I'm
>>root, shouldn't do this?) It seems perfectly harmless to me, although 
>>it would allow the user to make a pretty convoluted directory structure,
>
[ some stuff about find deleted... ]
>
>Now you might say that you don't care that much about find.  That is, you 
>might say this until you realize that find is used as a main portion of the
>backup scheme on many systems, so your backups will get screwed up.

Outside of the fact that "dump" *should* be the way to go to back up
systems (religious issue -- flames to Email!), the problem with hard-
linking directories is indeed a security issue at one point.
Consider the user who knows that he is chroot(2)ed somewhere.  If he could,
via another account, make a hard link to somewhere upward of his chroot(2)ed
point (assuming that his new root is not the root of a separate file system)
then he could access things he wasn't meant to.

Another claim is somewhere in the rename(2) man page:

"CAVEAT
    The system can deadlock if a loop in the file system graph
    is present.  This loop takes the form of an entry in direc-
    tory "a", say "a/foo", being a hard link to directory "b",
    and an entry in directory "b", say "b/bar", being a hard
    link to directory "a".  When such a loop exists and two
    separate processes attempt to perform "rename a/foo b/bar"
    and "rename b/bar a/foo", respectively, the system may dead-
    lock attempting to lock both directories for modification.
    Hard links to directories should be replaced by symbolic
    links by the system administrator."

>>that's the user's priviledge. So I suppose it's probably a security
>>issue somehow (restrictions of this sort seem to be). Hence the
>>crosspost to alt.security. 

Well, it IS the user's privilege to make up a convoluted directory struc-
ture in his own namespace, but using symbolic links.  They're much more
easy to try and resolve, since you don't have to do an ncheck to find out
which directories have such-and-such an inode.

Now, WHY a user would need to make a namespace convoluted escapes me, but
the world is full of oddities, now, ain't it?

>>-- 
>>wiml at blake.acs.washington.edu       Seattle, Washington  | No sig under
>>(William Lewis)  |  47 41' 15" N   122 42' 58" W  |||||||| construction
>
>
>-- 
>Conor P. Cahill            (703)430-9247        Virtual Technologies, Inc.,
>uunet!virtech!cpcahil                           46030 Manekin Plaza, Suite 160
>                                                Sterling, VA 22170 


-- 
-- once bitten, twice shy, thrice stupid --
MORALITY IS THE BIGGEST DETRIMENT TO OPEN COMMUNICATION.
/earth: minimum percentage of free space changes from 10% to 0%
should optimize for space^H^H^H^H^Hintelligence with minfree < 10%

More information about the Comp.unix.wizards mailing list