[RndTbl] creat() fails on non-root owned file when stickybit set on dir (tcsh) (new kernel bug?)

Gilbert E. Detilllieux gedetil at cs.umanitoba.ca
Thu Jan 2 11:44:50 CST 2020 

And see also this potentially useful tutorial, which mentions these 
sysctl settings, among other tips...

https://blog.frehi.be/2019/01/30/linux-security-hardening-recommendations/

Gilbert

On 2020-01-02 11:22 a.m., Gilbert E. Detilllieux wrote:
> See also...
> 
> https://www.spinics.net/lists/fedora-devel/msg252452.html
> 
> Thanks, Trevor, for bringing this to our attention.  I was not even 
> aware of these new sysctl settings and kernel features.  I can see why 
> they'd be desirable from a security perspective, but it does break 
> compatibility, possibly for some legitimate but obscure use cases.
> 
> Gilbert
> 
> On 2019-12-30 11:57 p.m., Trevor Cordes wrote:
>> After much kernel bisecting by me that yielded nothing of value, it
>> turns out the bug isn't the kernel, it's a change in Fedora's default
>> sysctl.conf settings between F29 and F30 that enable a new-ish kernel
>> "feature".  The "feature" turns on this behavior.
>>
>> Thanks to Andrew Morton and especially Al Viro for figuring this out
>> for me as I'm pretty sure a sysctl of some obscure feature would have
>> been the last place I would have looked!
>>
>> The solution is:
>> echo 0 >> /proc/sys/fs/protected_regular
>>
>> The new feature is (and it may be systemd deciding this):
>>
>> * The fs.protected_regular and fs.protected_fifos sysctls, which were
>>    added in Linux 4.19 to make some data spoofing attacks harder, are
>>    now enabled by default. While this will hopefully improve the
>>    security of most installations, it is technically a backwards
>>    incompatible change; to disable these sysctls again, place the
>>    following lines in /etc/sysctl.d/60-protected.conf or a similar file:
>>      fs.protected_regular = 0
>>      fs.protected_fifos = 0
>>
>> The bz is:
>> https://bugzilla.kernel.org/show_bug.cgi?id=205727

-- 
Gilbert E. Detillieux        E-mail:  <gedetil at cs.umanitoba.ca>
Dept. of Computer Science    Web:     http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba       Phone:   (204)474-8161
Winnipeg MB CANADA  R3T 2N2  Fax:     (204)474-7609

More information about the Roundtable mailing list