SUID/SGID binaries and Hardlinks

+SUID/SGID binaries and Hardlinks + +

+A file is only considered deleted when there are no more links pointing to it. This +might sound like a strange concept, but consider that a filename like /usr/bin/perl +is actually a link to the inode where the data is stored. Any number of links can point +to the file, and until all of them are gone, the file still exists. +

+ +

+If your users have access to a partition that isn't mounted with nosuid +or noexec (for example, if /tmp, /home, or /var/tmp are +not seperate partitions) you should take care to ensure your users don't create hardlinks to +SUID or SGID binaries, so that after Portage updates they still have access to the old +versions. +

+ + +if you have received a warning from portage about remaining hardlinks, and your users can +write to a partition that allows executing SUID/SGID files, you should read this section carefully. +One of your users may be attempting to circumvent your update by keeping an outdated version +of a program. If your users cannot create their own SUID files, or can only execute programs using +the dynamic loader (partitions mounted noexec), you do not have to worry. + + +Users do not need read access to a file to create a link to it, they only need read permission to +the directory that contains it. + + +

+To check how many links a file has, you can use the stat command. +

+ +

+$ stat /bin/su    
+  File: `/bin/su'
+  Size: 29350           Blocks: 64         IO Block: 131072 regular file
+Device: 900h/2304d      Inode: 2057419     Links: 1
+Access: (4711/-rws--x--x)  Uid: (    0/    root)   Gid: (    0/    root)
+Access: 2005-02-07 01:59:35.000000000 +0000
+Modify: 2004-11-04 01:46:17.000000000 +0000
+Change: 2004-11-04 01:46:17.000000000 +0000
+

+ +

+To find the SUID and SGID files with multiple links, you can use find. +

+ +

+$ find / -type f \( -perm -004000 -o -perm -002000 \) -links +1 -ls
+