On 9 Dec 1999, Kjetil Torgrim Homme wrote:
> [Alexander Viro]
>
> > Again, until you've removed your link _other_ links do not
> > matter. And once you've removed it it will not be used to create
> > new ones anyway. I still don't see anything you could buy
> > prohibiting link().
>
> Think chroot().
Huh? If attacker can link something outside of chroot jail you are
_already_ screwed - he can just access it directly.
> Think chmod() (by the admin after the "rogue"
> link()).
s/admin/luser with root/. That's what find(1) is for. Blind
recursive _anything_ in places you don't control is asking for trouble.
And I'ld rather live without "Linux-only admins" if they have a slightest
chance to get root on any other box. E.g. on a box with older version of
Linux kernel.
> I think the change in semantics is reasonable.
> Hardlinks
> are seldom used by ordinary users, anyway, since they can't cross
> device boundaries.
Absolute BS. Subtrees from the homedir rarely span over several
filesystems.
