Linux kernel hardening - link restrictions
The longstanding link restriction patches were recently accepted by
Andrew Morton and are likely to end up in Linux 3.4. I've applied
these to src:linux-2.6 in svn and they should end up in the upcoming
version 3.2.9-1.
We know that these are going to break some programs, most notably
'at' (#597130, fixed in wheezy/sid). But of course it's possible
to work around that by disabling the restriction, so I don't think
this should result in a 'Breaks' relation.
I'm therefore intending to warn about this with the following NEWS
entry in the linux-image metapackages:
Index: debian/linux-image.NEWS
===================================================================
--- debian/linux-image.NEWS (revision 18757)
+++ debian/linux-image.NEWS (working copy)
@@ -1,3 +1,18 @@
+linux-latest (44) unstable; urgency=low
+
+ * The new kernel version includes security restrictions on links, which
+ are enabled by default. These are specified in
+ Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
+ packages.
+
+ These restrictions may cause some legitimate programs to fail.
+ In particular, if the 'at' package is installed, you should either:
+ - Upgrade it to at least version 3.1.13-1 (or a backport of that)
+ or:
+ - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
+
+ -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
+
linux-latest-2.6 (26) unstable; urgency=low
* The old IDE (PATA) drivers are no longer developed. Most PATA
--- END ---
(Why in the metapackages, you ask? Because apt-listchanges shows NEWS
from upgraded packages, not new packages.)
Does anyone have a better idea how to do this? Know about other
packages that are affected?
Ben.
--
Ben Hutchings
One of the nice things about standards is that there are so many of them.
Reply to: