However, there are also many things which can go wrong with publically
writable directories, such as /tmp, when hard links are employed.
Consider a (questionable) root-owned program which does a
chown("/tmp/foo", uid, gid), with the sticky bit set on /tmp.
If /tmp/foo is a symbolic link to /etc/passwd, all is well with Linux -
it changes the ownership of the symbolic link (which is meaningless in
most cases), and /etc/passwd still belongs to root.
If, however, /tmp/foo is a HARD link to /etc/passwd, chown("/tmp/foo",
uid, gid) will lead to the user owning /etc/passwd - not a desirable
thing, in general.
My proposal would be to disallow linking a file into a directory which
has the sticky bit set unless the owner of the file is attempting this.
In other words, Joe Random Cracker can't do a 'ln /etc/passwd /tmp/foo'
-- Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, firstname.lastname@example.org. The joy of engineering is to find a straight line on a double logarithmic diagram.