Bug#709625: protected_hardlinks is too broad - make it per-filesystem instead?
Package: src:linux
Version: 3.2.41-2
Severity: normal
Hi,
I think that the new security feature to restrict hardlinks is a great
idea, but it is also causing me problems. In debian-cd, we rely on the
ability to make hardlinked copies of files from a debian mirror into
temporary disk trees. Since upgrading pettersson (the CD build box),
this broke due to the default protected_hardlinks setting. On that
system:
* we have a push mirror setup using the "archvsync" user;
* we build CDs using as the "debian-cd" user
These two user accounts explicitly don't share credentials: archvsync
can be triggered remotely so we don't trust it to be directly involved
in the CD build process. The debian-cd user explicitly does not have
write access to the mirror area on the machine, so as to ensure we
can't/don't make any changes to the mirror when building CDs.
For now, on that system we have changed the default settings via /proc
but it's not a real solution for us and DSA don't want to do it
permanently. I can see a few ways that we could change things:
* run things using the same account (not wanted, as described above)
* share a group between the users and make everything group-writable
(ditto)
* come up with a fakelink ld_preload lib like we have fakeroot (eww)
Alternatively, I'm pondering: if the main thrust of the hardlink
protection is to prevent attacks against system files, then it might
make more sense to change protected_hardlinks to be a per-filesystem
mount option. By all means protect the root filesystem etc., but for a
purely data-carrying filesystem it's a bit obstructive.
What do you think?
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Google-bait: http://www.debian.org/CD/free-linux-cd
Debian does NOT ship free CDs. Please do NOT contact the mailing
lists asking us to send them to you.
Reply to: