RedHat Linux 6 and above has been tightened up to prevent symbolic links from being exploited. The solution to this is to permit hard links to only be created when the user is already the existing file’s owner, or if they already have read/write access to the existing file.
This means that a small amount of additional administration is required to make process accounting work.
-
Put the “metron” user in a group that has write access to the pacct file:
Create a group called “metron” in /etc/group, give it a unique number.
For example: 999, like this: metron:x:999:
Add the "metron" user to the end of the group definition and save it.For example: metron:x:999:metron
Edit the /etc/passwd file to set the new group id and save it.For example: metron:x:1000:100:metron:/home/metron:/bin/bash
becomes:
metron:x:1000:999:metron:/home/metron:/bin/bash - Change the permission of the pacct file so the owning group is “metron” and set the
group permission to read/write:
Issue the following commands as root:
chgrp metron /var/account/pacct
chmod 664 /var/account/pacct
Typing in ls -l /var/account/pacct should now produce the following result:-rw-rw-r-- 3 root metron 1578816 Feb 9 17:36 /var/account/pacct
Check “metron” has access to this group with the “id” command:
Typing in id should now produce the following result:
uid=1000(metron) gid=999(metron) groups=999(metron)
Now, without changing anything else, the “metron” user should be able to create links from /var/account/pacct.
Whoever (or whatever process) rotates the pacct file to pacct.1 pacct.2, etc., will also need to ensure that the owning group remains the “metron” group and the permissions are still set to 664.