Hey folks! Just wanted to give the list a heads-up about a significant change I've just found out about in systemd 241. There are a couple of sysctls that were apparently introduced with Linux kernel 4.19, fs.protected_regular and fs.protected_fifos . These are defined here: https://www.kernel.org/doc/Documentation/sysctl/fs.txt "protected_fifos: The intent of this protection is to avoid unintentional writes to an attacker-controlled FIFO, where a program expected to create a regular file. When set to "0", writing to FIFOs is unrestricted. When set to "1" don't allow O_CREAT open on FIFOs that we don't own in world writable sticky directories, unless they are owned by the owner of the directory. When set to "2" it also applies to group writable sticky directories. This protection is based on the restrictions in Openwall. ... protected_regular: This protection is similar to protected_fifos, but it avoids writes to an attacker-controlled regular file, where a program expected to create one. When set to "0", writing to regular files is unrestricted. When set to "1" don't allow O_CREAT open on regular files that we don't own in world writable sticky directories, unless they are owned by the owner of the directory. When set to "2" it also applies to group writable sticky directories." These changes seem like they could be significant and potentially cause things that have previously worked to stop working, without it being immediately obvious why. In fact, we've already run across one case where exactly this happened: https://bugzilla.redhat.com/show_bug.cgi?id=1677027 the protected_regular change caused FreeIPA server deployment to stop working, and it took a bit of team detective work to find out that this was the cause. So, please be aware of these changes, and if something (particularly something that deals with FIFOs, or writing files in places like /tmp) seems to have suddenly stopped working, consider that this may be the cause. Thanks folks! -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
