Re: Bug#889098: enforce fs.protected_hardlinks in sysctl.d by default

To: Salvatore Bonaccorso <carnil@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 889098@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>, debian-kernel@lists.debian.org
Subject: Re: Bug#889098: enforce fs.protected_hardlinks in sysctl.d by default
From: Antoine Beaupré <anarcat@debian.org>
Date: Sat, 03 Feb 2018 09:43:50 -0500
Message-id: <[🔎] 87vafeyvyx.fsf@curie.anarc.at>
In-reply-to: <[🔎] 20180203095418.GA18077@eldamar.local>
References: <[🔎] 151752275194.5343.16719811904913641006.reportbug@curie.anarc.at> <[🔎] 87607g73x4.fsf@curie.anarc.at> <[🔎] 151752275194.5343.16719811904913641006.reportbug@curie.anarc.at> <[🔎] 20180202202531.GB11511@pisco.westfalen.local> <[🔎] 20180203095418.GA18077@eldamar.local>

On 2018-02-03 10:54:18, Salvatore Bonaccorso wrote:
> Hi
>
> On Fri, Feb 02, 2018 at 09:25:31PM +0100, Moritz Mühlenhoff wrote:
>> Antoine Beaupré wrote:
>> > There are, however, people *not* running Debian-built kernels, and
>> > sometimes for good reasons. This is a configuration that we should
>> > still support.
>> 
>> Is it supported, but it's also clearly documented that people need to
>> enable this sysctl for custom kernels:
>> https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
>
> Just to add a note: if procps is as well going to ship this hardening
> for fs.protected_hardlinks then I think it would be best to follow the
> kernel and do the same for fs.protected_symlinks as well, not only
> the fs.protected_hardlinks.

Agreed.

>> > Incidentally, I wonder if we should remove the patch we have on the
>> > Debian kernels to change the defaults, and instead rely on the
>> > sysctl. I have added the kernel team in CC to have their input.
>> 
>> Why revert the kernel? That doesn't buy us anything. It would be
>> better to ask upstream to revisit this decision (e.g. by contacting
>> KSPP mailing list). I suppose that SuSE, Ubuntu and Red Hat have
>> are shipping similar patches/defaults, so it's probably safe to say
>> that those protections are now the status quo (as opposed to five
>> years ago when that feature was freshly introduced).
>
> Agreed with you and Ben to actually not revert the sane defaults in
> the Debian kernel.
>
> Btw, upstream did initially as well set those, then reverted due to
> some userspace programms breaking, they are/were rare, but the rule is
> to not break userspace (this was done in the referenced commit, "VFS:
> don't do protected {sym,hard}links by default", where it's noted that
> it e.g. broke AFD.) 

Right. But we've been running with this as default in Debian for a
while. We also have good mechanisms (config file tracking) to allow
custom changes for users that build their own kernels, although that
might need a release notes update or something because that won't be
flagged by those mechanisms.

A.

-- 
Drowning people
Sometimes die
Fighting their rescuers.
                        - Octavia Butler

Reply to:

References:
- Bug#889098: (no subject)
  - From: Antoine Beaupre <anarcat@debian.org>
- enforce fs.protected_hardlinks in sysctl.d by default
  - From: Antoine Beaupré <anarcat@debian.org>
- Re: enforce fs.protected_hardlinks in sysctl.d by default
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Bug#889098: enforce fs.protected_hardlinks in sysctl.d by default
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Bug#889098: enforce fs.protected_hardlinks in sysctl.d by default
Next by Date: Processed: limit source to linux, tagging 872560, tagging 862718, tagging 888042
Previous by thread: Re: Bug#889098: enforce fs.protected_hardlinks in sysctl.d by default
Next by thread: Bug#889129: .config:3186:warning: symbol value 'm' invalid for HW_RANDOM_TPM
Index(es):
- Date
- Thread