On Fri, 2012-09-07 at 08:56 +0800, jidanni@jidanni.org wrote:
> # su - nobody
> No directory, logging in with HOME=/
> nobody@jidanni2:/$ date > /tmp/cc
> nobody@jidanni2:/$ ln -s /tmp/cc /tmp/dd
> nobody@jidanni2:/$ ls -l /tmp/cc /tmp/dd
> -rw-r--r-- 1 nobody nogroup 29 Sep 7 08:37 /tmp/cc
> lrwxrwxrwx 1 nobody nogroup 7 Sep 7 08:37 /tmp/dd -> /tmp/cc
> nobody@jidanni2:/$ su -
> # cat /tmp/cc /tmp/dd
> Fri Sep 7 08:37:38 CST 2012
> cat: /tmp/dd: Permission denied
> # tail /var/log/syslog
> Sep 7 08:36:46 jidanni2 kernel: [19394.443080] type=1400 audit(1346978206.292:11): op=follow_link action=denied pid=19327 comm="cat" path="/tmp/bb" dev="tmpfs" ino=275448
> # uname -a
> Linux jidanni2 3.2.0-3-486 #1 Mon Jul 23 02:47:49 UTC 2012 i686 GNU/Linux
linux-2.6 (3.2.9-1) unstable; urgency=high
[...]
* fs: Introduce and enable security restrictions on links:
- Do not follow symlinks in /tmp that are owned by other users
(sysctl: fs.protected_symlinks)
- Do not allow unprivileged users to create hard links to sensitive files
(sysctl: fs.protected_hardlinks) (Closes: #609455)
+ This breaks the 'at' package in stable, which will be fixed shortly
(see #597130)
The precise restrictions are specified in Documentation/sysctl/fs.txt in
the linux-doc-3.2 and linux-source-3.2 packages.
--
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
- Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
Attachment:
signature.asc
Description: This is a digitally signed message part