[RndTbl] creat() fails on non-root owned file when stickybit set on dir (tcsh) (new kernel bug?)
Gilbert E. Detilllieux
gedetil at cs.umanitoba.ca
Thu Jan 2 11:44:50 CST 2020
And see also this potentially useful tutorial, which mentions these
sysctl settings, among other tips...
https://blog.frehi.be/2019/01/30/linux-security-hardening-recommendations/
Gilbert
On 2020-01-02 11:22 a.m., Gilbert E. Detilllieux wrote:
> See also...
>
> https://www.spinics.net/lists/fedora-devel/msg252452.html
>
> Thanks, Trevor, for bringing this to our attention. I was not even
> aware of these new sysctl settings and kernel features. I can see why
> they'd be desirable from a security perspective, but it does break
> compatibility, possibly for some legitimate but obscure use cases.
>
> Gilbert
>
> On 2019-12-30 11:57 p.m., Trevor Cordes wrote:
>> After much kernel bisecting by me that yielded nothing of value, it
>> turns out the bug isn't the kernel, it's a change in Fedora's default
>> sysctl.conf settings between F29 and F30 that enable a new-ish kernel
>> "feature". The "feature" turns on this behavior.
>>
>> Thanks to Andrew Morton and especially Al Viro for figuring this out
>> for me as I'm pretty sure a sysctl of some obscure feature would have
>> been the last place I would have looked!
>>
>> The solution is:
>> echo 0 >> /proc/sys/fs/protected_regular
>>
>> The new feature is (and it may be systemd deciding this):
>>
>> * The fs.protected_regular and fs.protected_fifos sysctls, which were
>> added in Linux 4.19 to make some data spoofing attacks harder, are
>> now enabled by default. While this will hopefully improve the
>> security of most installations, it is technically a backwards
>> incompatible change; to disable these sysctls again, place the
>> following lines in /etc/sysctl.d/60-protected.conf or a similar file:
>> fs.protected_regular = 0
>> fs.protected_fifos = 0
>>
>> The bz is:
>> https://bugzilla.kernel.org/show_bug.cgi?id=205727
--
Gilbert E. Detillieux E-mail: <gedetil at cs.umanitoba.ca>
Dept. of Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba Phone: (204)474-8161
Winnipeg MB CANADA R3T 2N2 Fax: (204)474-7609
More information about the Roundtable
mailing list