Hi,
Incidentally I contacted SuSE security who agreed that fs.protected_symlinks is
not a valid mitigation
(they will update MITRE).
I also improved the
piuparts check:
#!/bin/sh -ex
if [ -e /var/lib/nfs ]; then
ls -ld /var/lib/nfs
ls -ld /var/lib/nfs/sm
if [ "$(dpkg -l | grep ' nfs-common ' | awk '{print $3}')"
!= '1:1.3.4-2.6' ]; then
exit 0
fi
if [ "$(stat -c '%U:%G' /var/lib/nfs)" != 'root:root' ];
then
exit 1
fi
if [ "$(stat -c '%U:%G' /var/lib/nfs/sm)" !=
'statd:nogroup' ]; then
exit 1
fi
fi
Cheers!
Sylvain