[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Linux kernel hardening - link restrictions

The longstanding link restriction patches were recently accepted by
Andrew Morton and are likely to end up in Linux 3.4.  I've applied
these to src:linux-2.6 in svn and they should end up in the upcoming
version 3.2.9-1.

We know that these are going to break some programs, most notably
'at' (#597130, fixed in wheezy/sid).  But of course it's possible
to work around that by disabling the restriction, so I don't think
this should result in a 'Breaks' relation.

I'm therefore intending to warn about this with the following NEWS
entry in the linux-image metapackages:

Index: debian/linux-image.NEWS
--- debian/linux-image.NEWS	(revision 18757)
+++ debian/linux-image.NEWS	(working copy)
@@ -1,3 +1,18 @@
+linux-latest (44) unstable; urgency=low
+  * The new kernel version includes security restrictions on links, which
+    are enabled by default.  These are specified in
+    Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
+    packages.
+    These restrictions may cause some legitimate programs to fail.
+    In particular, if the 'at' package is installed, you should either:
+    - Upgrade it to at least version 3.1.13-1 (or a backport of that)
+    or:
+    - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
+ -- Ben Hutchings <ben@decadent.org.uk>  Fri, 02 Mar 2012 04:58:24 +0000
 linux-latest-2.6 (26) unstable; urgency=low
   * The old IDE (PATA) drivers are no longer developed.  Most PATA
--- END ---

(Why in the metapackages, you ask?  Because apt-listchanges shows NEWS
from upgraded packages, not new packages.)

Does anyone have a better idea how to do this?  Know about other
packages that are affected?


Ben Hutchings
One of the nice things about standards is that there are so many of them.

Reply to: