Lines 1224-1230
Link Here
|
1224 |
But if you are running X, you might have some more, since X needs the elevated |
1224 |
But if you are running X, you might have some more, since X needs the elevated |
1225 |
access afforded by SUID. |
1225 |
access afforded by SUID. |
1226 |
</p> |
1226 |
</p> |
|
|
1227 |
</body> |
1228 |
</section> |
1229 |
<section> |
1230 |
<title>SUID/SGID binaries and Hardlinks</title> |
1231 |
<body> |
1232 |
<p> |
1233 |
A file is only considered deleted when there are no more links pointing to it. This |
1234 |
might sound like a strange concept, but consider that a filename like <path>/usr/bin/perl</path> |
1235 |
is actually a link to the inode where the data is stored. Any number of links can point |
1236 |
to the file, and until all of them are gone, the file still exists. |
1237 |
</p> |
1238 |
|
1239 |
<p> |
1240 |
If your users have access to a partition that isn't mounted with <c>nosuid</c> |
1241 |
or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or <path>/var/tmp</path> are |
1242 |
not seperate partitions) you should take care to ensure your users don't create hardlinks to |
1243 |
SUID or SGID binaries, so that after Portage updates they still have access to the old |
1244 |
versions. |
1245 |
</p> |
1246 |
|
1247 |
<warn> |
1248 |
if you have received a warning from portage about remaining hardlinks, and your users can |
1249 |
write to a partition that allows executing SUID/SGID files, you should read this section carefully. |
1250 |
One of your users may be attempting to circumvent your update by keeping an outdated version |
1251 |
of a program. If your users cannot create their own SUID files, or can only execute programs using |
1252 |
the dynamic loader (partitions mounted <c>noexec</c>), you do not have to worry. |
1253 |
</warn> |
1227 |
|
1254 |
|
|
|
1255 |
<note> |
1256 |
Users do not need read access to a file to create a link to it, they only need read permission to |
1257 |
the directory that contains it. |
1258 |
</note> |
1259 |
|
1260 |
<p> |
1261 |
To check how many links a file has, you can use the <c>stat</c> command. |
1262 |
<p> |
1263 |
|
1264 |
<pre caption="Stat command"> |
1265 |
$ stat /bin/su |
1266 |
File: `/bin/su' |
1267 |
Size: 29350 Blocks: 64 IO Block: 131072 regular file |
1268 |
Device: 900h/2304d Inode: 2057419 Links: 1 |
1269 |
Access: (4711/-rws--x--x) Uid: ( 0/ root) Gid: ( 0/ root) |
1270 |
Access: 2005-02-07 01:59:35.000000000 +0000 |
1271 |
Modify: 2004-11-04 01:46:17.000000000 +0000 |
1272 |
Change: 2004-11-04 01:46:17.000000000 +0000 |
1273 |
</pre> |
1274 |
|
1275 |
<p> |
1276 |
To find the SUID and SGID files with multiple links, you can use <c>find</c>. |
1277 |
</p> |
1278 |
|
1279 |
<pre caption="Finding multiply linked suid/sgid binaries"> |
1280 |
$ find / -type f \( -perm -004000 -o -perm -002000 \) -links +1 -ls |
1281 |
</pre> |
1228 |
</body> |
1282 |
</body> |
1229 |
</section> |
1283 |
</section> |
1230 |
</chapter> |
1284 |
</chapter> |