Re: directory sticky bit strangeness following libc6 update
On Sun, Apr 19, 2020 at 07:11:56PM -0500, Bob Tracy wrote:
> On Sun, Apr 19, 2020 at 01:01:17AM +0200, Matthias Ferdinand wrote:
> > On Sat, Apr 18, 2020 at 07:48:27AM -0500, Bob Tracy wrote:
> > > > If the rules had changed, it should not succeed even without
> > > > O_CREAT. A bug?
> > >
> > > That's *my* take on the matter. It will be a day or so before I can
> > > check upstream and see if any bug reports have been opened against
> > > libc6, but if someone else would care to look in the meantime :-) ...
> >
> > found https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954230, added
> > O_CREAT information to it.
> >
> > Matthias Ferdinand
>
> An update to that bug report suggested checking
> /proc/sys/fs/protected_regular, which is now set to 2 by default on my
> alpha. No idea where the new setting is coming from. It's a sysctl
> setting that has evidently been around for a good while. Other systems
> I have access to that are running the same kernel have that value set
> to 0. So I guess the current verdict is, "works as documented". Would
> still like to know what changed, because it's not being touched by the
> kernel build process: else, the other systems running the same kernel
> would be exhibiting the same behavior.
systemd seems to be setting this. From /usr/share/doc/systemd/NEWS.gz:
...
CHANGES WITH 241:
...
* The fs.protected_regular and fs.protected_fifos sysctls, which were
added in Linux 4.19 to make some data spoofing attacks harder, are
=> now enabled by default. While this will hopefully improve the
security of most installations, it is technically a backwards
incompatible change; to disable these sysctls again, place the
following lines in /etc/sysctl.d/60-protected.conf or a similar file:
fs.protected_regular = 0
fs.protected_fifos = 0
Still not sure why there is different behaviour appending to a file
depending on using O_CREAT or not.
Matthias
Reply to: