Re: Linux kernel hardening - link restrictions

To: debian-devel@lists.debian.org, Ansgar Burchardt <ansgar@43-1.org>, ansgar@debian.org
Cc: debian-release@lists.debian.org, debian-kernel@lists.debian.org
Subject: Re: Linux kernel hardening - link restrictions
From: Holger Levsen <holger@layer-acht.org>
Date: Fri, 2 Mar 2012 11:47:14 +0100
Message-id: <201203021147.16121.holger@layer-acht.org>
In-reply-to: <20120302054021.GU3990@outflux.net>
References: <20120302051158.GU12704@decadent.org.uk> <20120302054021.GU3990@outflux.net>

Hi,

On Freitag, 2. März 2012, Kees Cook wrote:
> > +  * The new kernel version includes security restrictions on links,
> > +    These restrictions may cause some legitimate programs to fail.
> > +    In particular, if the 'at' package is installed, you should either:
> > +    - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> > +    - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> It's a trivial patch[1] to fix "at". How about just backporting that
> change to stable, to avoid that known trouble too? This is what Ubuntu
> did for the Lucid LTS release that was getting backported kernels (with
> link restrictions) built for it.

sounds like a reasonable plan to me, cc:ing debian-release to get a comment
on this, and cc:ing the at maintainer too.

> [1]
> http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf940a49eda3279


cheers,
	Holger

Reply to:

Follow-Ups:
- Re: Linux kernel hardening - link restrictions
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#573187: transition: mpi-defaults
Next by Date: Re: Plans for ITK version 4
Previous by thread: Bug#573187: transition: mpi-defaults
Next by thread: Re: Linux kernel hardening - link restrictions
Index(es):
- Date
- Thread