On Thu, Mar 14, 2013 at 5:12 PM, Kees Cook <kees(a)outflux.net> wrote:
On Thu, Mar 14, 2013 at 09:08:48AM -0400, Daniel J Walsh wrote:
> On 03/14/2013 04:09 AM, yersinia wrote:
> > On Wed, Mar 13, 2013 at 7:52 PM, Daniel J Walsh <dwalsh(a)redhat.com
> > <mailto:dwalsh@redhat.com>> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >
> > sysctl -a | grep protected fs.protected_hardlinks = 0 fs.protected_symlinks
> > = 0
> >
> > Here some more info for this apparent regression
> >
http://kernel.opensuse.org/cgit/kernel/commit/?id=561ec64ae67ef25cac8d72b...
> >
> > Best
> >
> >
> >
> >
> Well I believe Ubunto has been using this feature for years and maybe we
> should consider turning it on via systemd or a unit file. The breakage of AFD
> is not a legitimate reason for Fedora to turn it off.
>
> Kees, could you explain how these restrictions would help secure Fedora and
> any potential side effects.
AFD was a single specific program doing a very specific task and hardly
represents an "average workload". I remain extremely disappointed that the
default-on state was reverted. Ubuntu has had this feature enabled for
YEARS now, and it stopped quite a few exploits cold.
Everything about these restrictions is described in detail in the commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id...
I'm happy to answer any questions.
Something like this patch to systemd should work, no?
From 9ee10b11d0d13554d3c59205389d6ebf665a213a Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer(a)redhat.com>
Date: Thu, 14 Mar 2013 18:30:47 -0400
Subject: [PATCH] Turn on protected hard and soft link protection by default
---
Makefile.am | 9 +++++++--
sysctl.d/protected_links.conf.in | 11 +++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
create mode 100644 sysctl.d/protected_links.conf.in
diff --git a/Makefile.am b/Makefile.am
index 175d14b..68b5de9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2688,6 +2688,9 @@ pkgconfiglib_DATA += \
dist_catalog_DATA = \
catalog/systemd.catalog
+sysctl_DATA = \
+ sysctl.d/protected_links.conf
+
SOCKETS_TARGET_WANTS += \
systemd-journald.socket
SYSINIT_TARGET_WANTS += \
@@ -2699,10 +2702,12 @@ EXTRA_DIST += \
src/journal/libsystemd-journal.sym \
units/systemd-journald.service.in \
units/systemd-journal-flush.service.in \
- src/journal/journald-gperf.gperf
+ src/journal/journald-gperf.gperf \
+ sysctl.d/protected_links.conf.in
CLEANFILES += \
- src/journal/journald-gperf.c
+ src/journal/journald-gperf.c \
+ sysctl.d/protected_links.conf
# ------------------------------------------------------------------------------
if HAVE_MICROHTTPD
diff --git a/sysctl.d/protected_links.conf.in b/sysctl.d/protected_links.conf.in
new file mode 100644
index 0000000..f183b08
--- /dev/null
+++ b/sysctl.d/protected_links.conf.in
@@ -0,0 +1,11 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See sysctl.d(5) for for details.
+
+fs.protected_hardlinks=1
+fs.protected_symlinks=1
--
1.8.1.2