[RndTbl] creat() fails on non-root owned file when stickybit set on dir (tcsh) (new kernel bug?)
Gilbert E. Detilllieux
gedetil at cs.umanitoba.ca
Thu Jan 2 11:22:29 CST 2020
See also...
https://www.spinics.net/lists/fedora-devel/msg252452.html
Thanks, Trevor, for bringing this to our attention. I was not even
aware of these new sysctl settings and kernel features. I can see why
they'd be desirable from a security perspective, but it does break
compatibility, possibly for some legitimate but obscure use cases.
Gilbert
On 2019-12-30 11:57 p.m., Trevor Cordes wrote:
> After much kernel bisecting by me that yielded nothing of value, it
> turns out the bug isn't the kernel, it's a change in Fedora's default
> sysctl.conf settings between F29 and F30 that enable a new-ish kernel
> "feature". The "feature" turns on this behavior.
>
> Thanks to Andrew Morton and especially Al Viro for figuring this out
> for me as I'm pretty sure a sysctl of some obscure feature would have
> been the last place I would have looked!
>
> The solution is:
> echo 0 >> /proc/sys/fs/protected_regular
>
> The new feature is (and it may be systemd deciding this):
>
> * The fs.protected_regular and fs.protected_fifos sysctls, which were
> added in Linux 4.19 to make some data spoofing attacks harder, are
> now enabled by default. While this will hopefully improve the
> security of most installations, it is technically a backwards
> incompatible change; to disable these sysctls again, place the
> following lines in /etc/sysctl.d/60-protected.conf or a similar file:
> fs.protected_regular = 0
> fs.protected_fifos = 0
>
> The bz is:
> https://bugzilla.kernel.org/show_bug.cgi?id=205727
--
Gilbert E. Detillieux E-mail: <gedetil at cs.umanitoba.ca>
Dept. of Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba Phone: (204)474-8161
Winnipeg MB CANADA R3T 2N2 Fax: (204)474-7609
More information about the Roundtable
mailing list