next up previous contents
Next: 8 Access control to Up: 7 Access control to Previous: 7.4 Special files   Contents

Subsections

7.5 Notice about links

7.5.1 Treatment of symbolic links

Configuration to file that contains symbolic link is ignored.
For example,
allow /etc/init.d/httpd r;
is ignored(init.d is symbolic link to rc.d/init.d).

7.5.2 Treatment of hard links

In Linux system, contents of file can be refered by multiple name using hard link. Hardlink is rarely used recent distro, but you have to note about this if you want to preserve security.
In SPDL, following rule exists about hard link.
If file has multiple hardlink, to access the file, you must specify originally existing file name.
For example, /etc/shadow and /var/chroot/etc/shadow is hardlinked, and /etc/shadow exists originally, to access contents of /etc/shadow, you have to use file name /etc/shadow. Configuration using /var/chroot/etc/shadow will be igonored. If some domain(assume foo_t ) want to read /var/chroot/etc/shadow, you have to configure allow /etc/shadow r;
Next, there is a question, what is criteria of file originally exist? Following is answer.
In following, /etc/shadow and /var/shadow is assumed as hardlinked files.
  1. If rule is described to one file, the file is treated as original.
    Ex: allow /etc/shadow r; is described in some domain, but rules using filename /var/shadow is not described, /etc/shadow is treated as original.
  2. If rules are described to multiple hardlinked files, the filename that name is the youngest is treated as original
    Ex: allow /etc/shadow r, and allow /var/shadow r; are described in some domains, /var/shadow is treated as original, because /var/shadow > /etc/shadow.
  3. If rules are not described for hardlinked files, the directory names that hardlinks exist are compared. The file whose directory name is oldest is original.
    Ex: /etc/shadow, /var/shadow do not appear in any domain. Then /var/shadow is treated as original. Because /var > /etc.
If you are not sure which hardlinke is original, you can use all names. It means, you can describe
allow /etc/shadow r;
allow /var/shadow r;
1 of 2 will be igored, and do no harm.

Above treatment of hardlink is necessary to avoid a kind of back door of path name based configuration. Assume hard link to /etc/shadow is created by some trick under /var/www/html, without this behavior, apache web server can access contents of /etc/shadow via /var/www/html/shadow. To protect this, we must limit way to access hard link to 1.
http://securityblog.org/brindle/2006/04/19 is good reference.


next up previous contents
Next: 8 Access control to Up: 7 Access control to Previous: 7.4 Special files   Contents
Yuichi Nakamura 2006-11-13