Is there a reason we do not turn on the file system hardlink/symlink protection in Rawhide?
Josh Boyer
jwboyer at gmail.com
Thu Mar 14 22:32:46 UTC 2013
On Thu, Mar 14, 2013 at 5:12 PM, Kees Cook <kees at outflux.net> wrote:
> On Thu, Mar 14, 2013 at 09:08:48AM -0400, Daniel J Walsh wrote:
>> On 03/14/2013 04:09 AM, yersinia wrote:
>> > On Wed, Mar 13, 2013 at 7:52 PM, Daniel J Walsh <dwalsh at redhat.com
>> > <mailto:dwalsh at redhat.com>> wrote:
>> >
>> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> >
>> > sysctl -a | grep protected fs.protected_hardlinks = 0 fs.protected_symlinks
>> > = 0
>> >
>> > Here some more info for this apparent regression
>> > http://kernel.opensuse.org/cgit/kernel/commit/?id=561ec64ae67ef25cac8d72bb9c4bfc955edfd415
>> >
>> > Best
>> >
>> >
>> >
>> >
>> Well I believe Ubunto has been using this feature for years and maybe we
>> should consider turning it on via systemd or a unit file. The breakage of AFD
>> is not a legitimate reason for Fedora to turn it off.
>>
>> Kees, could you explain how these restrictions would help secure Fedora and
>> any potential side effects.
>
> AFD was a single specific program doing a very specific task and hardly
> represents an "average workload". I remain extremely disappointed that the
> default-on state was reverted. Ubuntu has had this feature enabled for
> YEARS now, and it stopped quite a few exploits cold.
>
> Everything about these restrictions is described in detail in the commit:
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
>
> I'm happy to answer any questions.
Something like this patch to systemd should work, no?
>From 9ee10b11d0d13554d3c59205389d6ebf665a213a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer at redhat.com>
Date: Thu, 14 Mar 2013 18:30:47 -0400
Subject: [PATCH] Turn on protected hard and soft link protection by default
---
Makefile.am | 9 +++++++--
sysctl.d/protected_links.conf.in | 11 +++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
create mode 100644 sysctl.d/protected_links.conf.in
diff --git a/Makefile.am b/Makefile.am
index 175d14b..68b5de9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2688,6 +2688,9 @@ pkgconfiglib_DATA += \
dist_catalog_DATA = \
catalog/systemd.catalog
+sysctl_DATA = \
+ sysctl.d/protected_links.conf
+
SOCKETS_TARGET_WANTS += \
systemd-journald.socket
SYSINIT_TARGET_WANTS += \
@@ -2699,10 +2702,12 @@ EXTRA_DIST += \
src/journal/libsystemd-journal.sym \
units/systemd-journald.service.in \
units/systemd-journal-flush.service.in \
- src/journal/journald-gperf.gperf
+ src/journal/journald-gperf.gperf \
+ sysctl.d/protected_links.conf.in
CLEANFILES += \
- src/journal/journald-gperf.c
+ src/journal/journald-gperf.c \
+ sysctl.d/protected_links.conf
# ------------------------------------------------------------------------------
if HAVE_MICROHTTPD
diff --git a/sysctl.d/protected_links.conf.in b/sysctl.d/protected_links.conf.in
new file mode 100644
index 0000000..f183b08
--- /dev/null
+++ b/sysctl.d/protected_links.conf.in
@@ -0,0 +1,11 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See sysctl.d(5) for for details.
+
+fs.protected_hardlinks=1
+fs.protected_symlinks=1
--
1.8.1.2
More information about the devel
mailing list