linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo@elte.hu>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Rik van Riel <riel@redhat.com>,
	Federica Teodori <federica.teodori@googlemail.com>,
	Lucian Adrian Grijincu <lucian.grijincu@gmail.com>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Eric Paris <eparis@redhat.com>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dan Rosenberg <drosenberg@vsecurity.com>,
	linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v2012.1] fs: symlink restrictions on sticky directories
Date: Thu, 5 Jan 2012 10:17:04 +0100	[thread overview]
Message-ID: <20120105091704.GB3249@elte.hu> (raw)
In-Reply-To: <20120104201800.GA2587@www.outflux.net>


* Kees Cook <keescook@chromium.org> wrote:

> @@ -1495,6 +1496,15 @@ static struct ctl_table fs_table[] = {
>  #endif
>  #endif
>  	{
> +		.procname	= "protected_sticky_symlinks",
> +		.data		= &protected_sticky_symlinks,
> +		.maxlen		= sizeof(int),
> +		.mode		= 0644,
> +		.proc_handler	= proc_dointvec_minmax,
> +		.extra1		= &zero,
> +		.extra2		= &one,
> +	},

Small detail:

Might make sense to change the .mode to 0600, to make it harder 
for unprivileged attack code to guess whether this protection 
(and the resulting audit warning to the administrator) is 
enabled on a system or not.

It can be probed, but only at the cost of generating a warning.

Likewise, distros should set /etc/sysctl.conf to 0600 as well, 
for similar reasons.

Thanks,

	Ingo

  reply	other threads:[~2012-01-05  9:19 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-04 20:18 [PATCH v2012.1] fs: symlink restrictions on sticky directories Kees Cook
2012-01-05  9:17 ` Ingo Molnar [this message]
2012-01-05 19:36   ` Kees Cook
2012-01-06  7:36     ` Ingo Molnar
2012-01-06  9:21       ` Andrew Morton
2012-01-06  9:43         ` Ingo Molnar
2012-01-06  9:58           ` Andrew Morton
2012-01-06 10:05             ` Ingo Molnar
2012-01-06 10:33               ` Andrew Morton
2012-01-06 11:16                 ` Ingo Molnar
2012-01-06 18:34             ` Kees Cook
2012-01-06 18:44         ` Kees Cook
2012-01-05 14:30 ` Nick Bowler
2012-01-05 19:34   ` Kees Cook
2012-01-05 20:08     ` Nick Bowler
2012-01-05 20:55       ` Kees Cook
2012-01-05 22:18         ` Nick Bowler
2012-01-06  0:08           ` Kees Cook
2012-01-06  2:05         ` Rik van Riel
2012-01-06  7:34           ` Ingo Molnar
2012-01-06  7:10       ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120105091704.GB3249@elte.hu \
    --to=mingo@elte.hu \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=drosenberg@vsecurity.com \
    --cc=eparis@redhat.com \
    --cc=federica.teodori@googlemail.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucian.grijincu@gmail.com \
    --cc=rdunlap@xenotime.net \
    --cc=riel@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).