On 01/10/2018 05:18 PM, James Le Cuirot wrote: > > The init script used to call chown/chmod -R, which is > obviously bad. I've compromised by only calling these on the > directories themselves (ignoring symlinks). I believe this is safe > because it's not possible to create hard linked directories these days? > Would you agree?
Are you still using chown and chmod? If so, you should switch to checkpath -- chown and chmod don't even try to avoid hard links. I would be surprised to see a "chown" or "chmod" in an init script that can't be replaced by something better. The race condition that we're talking about here is trying to squeeze the last 1% of security out of checkpath; it's already much safer than chown/chmod. For example, if your script is calling chown and chmod on two directories /foo and /foo/bar, then whoever owns /foo can kill /foo/bar entirely and replace it with a hard link to /etc/passwd. When the service restarts, chown and chmod won't care that you think /foo/bar should be a directory instead.
