> From: David Malone [mailto:dwmalone@xxxxxxxxxxx] > Sent: Thursday, May 13, 2004 12:49 PM > > Solaris, AIX, and FreeBSD all seem to have less suprising behaviour > for chown and chmod and provide a "-h" flag for chowning a symlink > rather than its target. Fileutils also has a "-h" flag, but it is > the default for chown, so you need to say "--dereference" to get > it to operate on the target. > > While this choice of default isn't clearly wrong... It's pretty clear to me that it's wrong. It's inconsistent (with the other utilities) and counterintuitive, which is a major security risk for a security-sensitive utility. Changing ownership of a symlink is rarely useful,(*) so it makes the less-desirable behavior the default. It operates differently from other implementations of the chown command, and requires a nonstandard and implausible flag to force the de facto standard behavior. That's three strikes against it; it's out. Of course, changing the default behavior could have adverse effects on shell scripts and slow learners, so simply correcting it is likely to cause some grief. IMO it's worth it in a case like this. (*)Contrary to the FAQ entry you cited, it is sometimes useful to change the ownership of a symlink. Since the owner of a symlink can be detected by a program, there can exist programs which depend on it. Consider a script which uses "find -user x" for some purpose, for example, or the behavior of directories with the sticky bit set. Also, there was recently a discussion of a real-world case on comp.unix.aix where the use of the -h flag behavior (change link rather than target) would have avoided unfortunate consequences. The text of the FAQ entry is a classic case of failing to consider all the consequences of an action and attending only to the most obvious ones - a common security error. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
