[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux kernel hardening - link restrictions



On 12-03-02 at 05:11am, Ben Hutchings wrote:
> The longstanding link restriction patches were recently accepted by
> Andrew Morton and are likely to end up in Linux 3.4.  I've applied
> these to src:linux-2.6 in svn and they should end up in the upcoming
> version 3.2.9-1.
> 
> We know that these are going to break some programs, most notably
> 'at' (#597130, fixed in wheezy/sid).  But of course it's possible
> to work around that by disabling the restriction, so I don't think
> this should result in a 'Breaks' relation.
> 
> I'm therefore intending to warn about this with the following NEWS
> entry in the linux-image metapackages:
> 
> Index: debian/linux-image.NEWS
> ===================================================================
> --- debian/linux-image.NEWS	(revision 18757)
> +++ debian/linux-image.NEWS	(working copy)
> @@ -1,3 +1,18 @@
> +linux-latest (44) unstable; urgency=low
> +
> +  * The new kernel version includes security restrictions on links, which
> +    are enabled by default.  These are specified in
> +    Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> +    packages.
> +  
> +    These restrictions may cause some legitimate programs to fail.
> +    In particular, if the 'at' package is installed, you should either:
> +    - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> +    or:
> +    - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> +
> + -- Ben Hutchings <ben@decadent.org.uk>  Fri, 02 Mar 2012 04:58:24 +0000
> +
>  linux-latest-2.6 (26) unstable; urgency=low
>  
>    * The old IDE (PATA) drivers are no longer developed.  Most PATA
> --- END ---
> 
> (Why in the metapackages, you ask?  Because apt-listchanges shows NEWS
> from upgraded packages, not new packages.)
> 
> Does anyone have a better idea how to do this?  Know about other
> packages that are affected?

I suggest to add it to *both* metapackages and real packages: Some may 
not use the metapackages and may inspect the NEWS file by other means 
than via apt-listchanges (which I guess is what you are talking about).


Regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: Digital signature


Reply to: