Re: FS: hardlinks on directories

From: jw schultz (jw@pegasys.ws)
Date: Mon Aug 04 2003 - 23:53:46 EST

Next message: Valdis.Kletnieks@vt.edu: "Re: [PATCH] O11int for interactivity"
Previous message: Peter Chubb: "[PATCH, TRIVIAL] Add do_setitimer prototype to linux/time.h)"
In reply to: Hans Reiser: "Re: FS: hardlinks on directories"
Next in thread: jlnance@unity.ncsu.edu: "Re: FS: hardlinks on directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 04, 2003 at 09:00:53PM +0400, Hans Reiser wrote:
> If you want hard linked directories, send us a patch for v4. Should be
> VERY easy to write. If there is some reason it is not simple, let me
> know. Discuss it with Vitaly though, it might affect fsck.

I don't recommend it but if you do make sure those links can
only be made by root.

SVR3 and earlier allowed manual hardlinking of directories
by root only. They were a real source of problems. It
also confused the dickens out of fsck so it would have to be
restricted or allowed by the filesystem code, not the VFS
layer. I remember playing with it and it was a guarantee
that fsck would have to be run manually.

        $mkdir A
        $mkdir B
        $mkdir C
        $mkdir A/A1
        $ln A/A1 B/B1
        $ln A/A1 C/C1
        $rmdir A/A1

Assuming we can do this. A1 is an empty directory after all.
Now B1 has a link count of 1, but i'll assume that is OK

$rmdir A

It is after all empty even though the link count is 3.

        $cd B/B1
        $/bin/pwd
        cannot stat .

Remember B/B1/.. is it A with a nlinks==1

$cd ..

Now where are you? It used to be called A but now it has no
normal path but can be reached through B/B1/.. It still has
.. so what directory is it linked to that doesn't have an
entry pointing back to it.

Lets some fun with it.

$mkdir A2

Ah, now we have a directory the path to which is B/B1/../A2
We can hide all sorts of stuff here and find will never see
it. It won't get backed up but maybe that doesn't matter.

What a lovely way to hide a rootkit.

If on the other hand you removed A/A1/.. when removing A/A1
you have a B/B1 and C/C1 without ..

Now umount the filesystem and run fsck. B/B1 and C/C1 each
refer to the same directory with no .. or a .. that points
to a third directory with nlinks==1 and no directory entries
except a ..

You can put in a slew of logic to reduce the risks somewhat.
Things like only allowing rmdir somedir when
somedir->nlinks <= 2 || somedir/.. != .
but that still leaves the issue of where .. is linked and
the potential to bypass parent directory based access
controls such as Linus likes in a way that the admin will
have a hard time identifying.

The issues on a filesystem where .. is simulated would i
imagine be different.

-- ________________________________________________________________ J.W. Schultz Pegasystems Technologies email address: jw@pegasys.ws

Remember Cernan and Schmitt - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Valdis.Kletnieks@vt.edu: "Re: [PATCH] O11int for interactivity"
Previous message: Peter Chubb: "[PATCH, TRIVIAL] Add do_setitimer prototype to linux/time.h)"
In reply to: Hans Reiser: "Re: FS: hardlinks on directories"
Next in thread: jlnance@unity.ncsu.edu: "Re: FS: hardlinks on directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:27 EST