Re: Linux kernel hardening - link restrictions
Hi,
On 2012-03-02 05:11:58 +0000, Ben Hutchings wrote:
> I'm therefore intending to warn about this with the following NEWS
> entry in the linux-image metapackages:
>
> Index: debian/linux-image.NEWS
> ===================================================================
> --- debian/linux-image.NEWS (revision 18757)
> +++ debian/linux-image.NEWS (working copy)
> @@ -1,3 +1,18 @@
> +linux-latest (44) unstable; urgency=low
> +
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.
> +
> + These restrictions may cause some legitimate programs to fail.
> + In particular, if the 'at' package is installed, you should either:
> + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> + or:
> + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> +
> + -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
> +
> linux-latest-2.6 (26) unstable; urgency=low
>
> * The old IDE (PATA) drivers are no longer developed. Most PATA
> --- END ---
>
> (Why in the metapackages, you ask? Because apt-listchanges shows NEWS
> from upgraded packages, not new packages.)
I didn't see anything! (I noticed the change thanks to a diff on
"sysctl -a" output, otherwise I wouldn't be aware of it.)
> Does anyone have a better idea how to do this? Know about other
> packages that are affected?
There seems to be something wrong. The upgrade was done via
linux-image-amd64 3.2+44 (from source linux-latest 44), and
/usr/share/doc/linux-image-amd64/NEWS.Debian.gz just contains:
linux-latest-2.6 (26) unstable; urgency=low
[...]
-- Ben Hutchings <ben@decadent.org.uk> Tue, 04 May 2010 02:10:04 +0100
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: