Heads up: significant change to fs.protected_regular and fs.protected_fifos sysctls with systemd 241

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey folks! Just wanted to give the list a heads-up about a significant
change I've just found out about in systemd 241.

There are a couple of sysctls that were apparently introduced with
Linux kernel 4.19, fs.protected_regular and fs.protected_fifos . These
are defined here:

https://www.kernel.org/doc/Documentation/sysctl/fs.txt

"protected_fifos:

The intent of this protection is to avoid unintentional writes to
an attacker-controlled FIFO, where a program expected to create a
regular
file.

When set to "0", writing to FIFOs is unrestricted.

When set to "1" don't allow O_CREAT open on FIFOs that we don't own
in world writable sticky directories, unless they are owned by the
owner of the directory.

When set to "2" it also applies to group writable sticky directories.

This protection is based on the restrictions in Openwall.

...

protected_regular:

This protection is similar to protected_fifos, but it
avoids writes to an attacker-controlled regular file, where a program
expected to create one.

When set to "0", writing to regular files is unrestricted.

When set to "1" don't allow O_CREAT open on regular files that we
don't own in world writable sticky directories, unless they are
owned by the owner of the directory.

When set to "2" it also applies to group writable sticky directories."

These changes seem like they could be significant and potentially cause
things that have previously worked to stop working, without it being
immediately obvious why. In fact, we've already run across one case
where exactly this happened:

https://bugzilla.redhat.com/show_bug.cgi?id=1677027

the protected_regular change caused FreeIPA server deployment to stop
working, and it took a bit of team detective work to find out that this
was the cause.

So, please be aware of these changes, and if something (particularly
something that deals with FIFOs, or writing files in places like /tmp)
seems to have suddenly stopped working, consider that this may be the
cause.

Thanks folks!
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux