LWN.net Logo

Setting protected *links

Setting protected *links

Posted Apr 2, 2013 6:23 UTC (Tue) by Duncan (guest, #6647)
In reply to: Anatomy of a user namespaces vulnerability by meyert
Parent article: Anatomy of a user namespaces vulnerability

> # cat /proc/sys/fs/protected_hardlinks
> 0
>
> Where to enable this option permanently?

Assuming fedora has the common sysctrl initscript/unitfile, along with the associated /etc/sysctrl.d/* and/or /etc/syctrl.conf, you'd set it there (omitting the /proc/sys bit as that's the normal working dir for this unit/script).

As I follow upstream kernel development reasonably closely on both LWN and independently (running a custom configured Linus git kernel), I saw the feature introduced for kernel 3.7, and added entries to my sysctrl.conf file appropriately (JED are my initials, used to distinguish my own modifications, $>> is the non-root version of the last line of my custom-set $PS1 bash prompt (#>> would indicate root, appearing as green on red so there's no mistaking it):

$>>grep protected /etc/sysctl.conf
# JED: protected sticky/tempdir symlinks/hardlinks (kernel 3.7+)
fs.protected_symlinks = 1
fs.protected_hardlinks = 1

Duncan


(Log in to post comments)

Setting protected *links

Posted Apr 5, 2013 21:11 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

You could also drop a file in /etc/sysctl.d/99-jed.conf file instead of conflicting with package manager-controlled files.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds