On Thu, Mar 14, 2013 at 5:12 PM, Kees Cook <kees@xxxxxxxxxxx> wrote: > On Thu, Mar 14, 2013 at 09:08:48AM -0400, Daniel J Walsh wrote: >> On 03/14/2013 04:09 AM, yersinia wrote: >> > On Wed, Mar 13, 2013 at 7:52 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx >> > <mailto:dwalsh@xxxxxxxxxx>> wrote: >> > >> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> > >> > sysctl -a | grep protected fs.protected_hardlinks = 0 fs.protected_symlinks >> > = 0 >> > >> > Here some more info for this apparent regression >> > http://kernel.opensuse.org/cgit/kernel/commit/?id=561ec64ae67ef25cac8d72bb9c4bfc955edfd415 >> > >> > Best >> > >> > >> > >> > >> Well I believe Ubunto has been using this feature for years and maybe we >> should consider turning it on via systemd or a unit file. The breakage of AFD >> is not a legitimate reason for Fedora to turn it off. >> >> Kees, could you explain how these restrictions would help secure Fedora and >> any potential side effects. > > AFD was a single specific program doing a very specific task and hardly > represents an "average workload". I remain extremely disappointed that the > default-on state was reverted. Ubuntu has had this feature enabled for > YEARS now, and it stopped quite a few exploits cold. > > Everything about these restrictions is described in detail in the commit: > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7 > > I'm happy to answer any questions. Something like this patch to systemd should work, no? >From 9ee10b11d0d13554d3c59205389d6ebf665a213a Mon Sep 17 00:00:00 2001 From: Josh Boyer <jwboyer@xxxxxxxxxx> Date: Thu, 14 Mar 2013 18:30:47 -0400 Subject: [PATCH] Turn on protected hard and soft link protection by default --- Makefile.am | 9 +++++++-- sysctl.d/protected_links.conf.in | 11 +++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 sysctl.d/protected_links.conf.in diff --git a/Makefile.am b/Makefile.am index 175d14b..68b5de9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2688,6 +2688,9 @@ pkgconfiglib_DATA += \ dist_catalog_DATA = \ catalog/systemd.catalog +sysctl_DATA = \ + sysctl.d/protected_links.conf + SOCKETS_TARGET_WANTS += \ systemd-journald.socket SYSINIT_TARGET_WANTS += \ @@ -2699,10 +2702,12 @@ EXTRA_DIST += \ src/journal/libsystemd-journal.sym \ units/systemd-journald.service.in \ units/systemd-journal-flush.service.in \ - src/journal/journald-gperf.gperf + src/journal/journald-gperf.gperf \ + sysctl.d/protected_links.conf.in CLEANFILES += \ - src/journal/journald-gperf.c + src/journal/journald-gperf.c \ + sysctl.d/protected_links.conf # ------------------------------------------------------------------------------ if HAVE_MICROHTTPD diff --git a/sysctl.d/protected_links.conf.in b/sysctl.d/protected_links.conf.in new file mode 100644 index 0000000..f183b08 --- /dev/null +++ b/sysctl.d/protected_links.conf.in @@ -0,0 +1,11 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See sysctl.d(5) for for details. + +fs.protected_hardlinks=1 +fs.protected_symlinks=1 -- 1.8.1.2 -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
