Is there a reason we do not turn on the file system hardlink/symlink protection in Rawhide?

Kees Cook kees at outflux.net
Thu Mar 14 21:12:49 UTC 2013


On Thu, Mar 14, 2013 at 09:08:48AM -0400, Daniel J Walsh wrote:
> On 03/14/2013 04:09 AM, yersinia wrote:
> > On Wed, Mar 13, 2013 at 7:52 PM, Daniel J Walsh <dwalsh at redhat.com 
> > <mailto:dwalsh at redhat.com>> wrote:
> > 
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> > 
> > sysctl -a | grep protected fs.protected_hardlinks = 0 fs.protected_symlinks
> > = 0
> > 
> > Here some more info for this apparent regression 
> > http://kernel.opensuse.org/cgit/kernel/commit/?id=561ec64ae67ef25cac8d72bb9c4bfc955edfd415
> >
> >  Best
> > 
> > 
> > 
> > 
> Well I believe Ubunto has been using this feature for years and maybe we
> should consider turning it on via systemd or a unit file.  The breakage of AFD
> is not a legitimate reason for Fedora to turn it off.
> 
> Kees, could you explain how these restrictions would help secure Fedora and
> any potential side effects.

AFD was a single specific program doing a very specific task and hardly
represents an "average workload". I remain extremely disappointed that the
default-on state was reverted. Ubuntu has had this feature enabled for
YEARS now, and it stopped quite a few exploits cold.

Everything about these restrictions is described in detail in the commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7

I'm happy to answer any questions.

-Kees

-- 
Kees Cook                                            @outflux.net


More information about the devel mailing list