On Sun, 2011-01-09 at 17:51 +0100, Maximilian Gaukler wrote: > Package: linux-2.6 > Severity: wishlist > Tags: patch > > An indirect security problem in many linux systems is that a user can > generate hardlinks to files that he may not write. I suggest adding a > patch [1] to Debians kernel which adds a sysctl configuration option > to forbid such hardlinks. This option should default to "allow" so > that the default behaviour does not change. > > This patch will protect against the following security problems when > activated: > One scenario that is described in [2] is that a user creates a > hardlink to a suid-root binary, e.g. /bin/bash, inside his home
You seem to be a bit confused about this vulnerability. /bin/bash is of course not suid-root, only owned by root. The interesting thing that can be done with suid-root binaries is to make links to them so that if a vulnerability is discovered in them it can be exploited even after the administrator has upgraded them. (This can be defended against in the package manager by removing the suid/sgid bits before unlinking them. I don't know whether dpkg does that yet.) > directory and asks the administrator to fix the permissions in this > directory. The administrator will probably run chmod -R u+w,g+w and > chown -R user:usergroup. Now the user is the owner of /bin/bash and > can quickly become root. > A rather simple case would be flooding /tmp/ with hardlinks to > root-owned files. Even if the user is limited to a certain number of > files, this will not be counted on his quota. > > If the patch is activated, there are only few negative side effects: > It violates POSIX specifications and might break unknown, possibly > insecure, applications. It doesn't violate POSIX specifications; implementations are allowed to apply restrictions beyond the standard Unix permission checks (e.g. SELinux). > BTW, Ubuntu has this patch enabled by default, so it can't be too bad. Many distributions apply many patches that are not upstream. We generally try to avoid doing that in the standard kernel images. However, we may add kernel images with the 'grsec' featureset for the next release (wheezy). Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part
