Re: Linux kernel hardening - link restrictions

[Ansgar Burchardt <ansgar@debian.org>]

"Adam D. Barratt" <adam@adam-barratt.org.uk> writes:
>> sounds like a reasonable plan to me, cc:ing debian-release to get a
>> comment on this, and cc:ing the at maintainer too.
>
> (Predictably enough) I'd like to see a debdiff before a final ack, but
> in principle it looks okay; thanks.

Attached below.

Regards,
Ansgar

diff -u at-3.1.12/debian/changelog at-3.1.12/debian/changelog
--- at-3.1.12/debian/changelog
+++ at-3.1.12/debian/changelog
@@ -1,3 +1,10 @@
+at (3.1.12-1+squeeze1) squeeze; urgency=low
+
+  * Create hardlink as priviledged user. (Closes: #597130)
+    Patch backported from at/3.1.13.
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Fri, 02 Mar 2012 18:36:16 +0100
+
 at (3.1.12-1) unstable; urgency=low
 
   * New upstream release:
only in patch2:
unchanged:
--- at-3.1.12.orig/atd.c
+++ at-3.1.12/atd.c
@@ -252,7 +252,10 @@
      * somebody else has already locked it (a second atd?); log the
      * fact and return.
      */
-    if (link(filename, newname) == -1) {
+    PRIV_START
+    rc = link(filename, newname);
+    PRIV_END
+    if (rc == -1) {
 	if (errno == EEXIST) {
 	    free(mailname);
 	    free(newname);