I recently noticed that Gentoo does not by default apply safe settings for the following sysctls fs.protected_regular fs.protected_fifos These settings are similar to the better known protected_symlinks and protected_hardlinks settings, but they apply for regular files or FIFO special files, respectively. When setting these to "1" then opening existing files with O_CREAT flag fails when the existing file is owned by other users than root and if they are placed in a public sticky bit directory. Also see "man 5 proc" for the full documentation of these. Most other Linux distributions seem to have set this to "1" already by default. The even stronger "2" setting affects also directories with setgid bit set, this setting might cause compatibility issues in some cases, I'm not sure of that. In Gentoo currently the baselayout package ships a systctl.d drop in file "00protected-links.conf" that cares for safe settings for protected_symlinks and protected_hardlinks. protected_regular and protected_fifos could be covered similarly. A recently published security issue in "kcron" shows that protected_regular has some real world security relevance: https://www.openwall.com/lists/oss-security/2022/02/25/3
Hi Matthias, thanks for reporting! This is currently already partially implemented on the kernel side (the patch is a part of genpatches, a part of gentoo-sources and gentoo-kernel, thanks ionen for giving the link): https://gitweb.gentoo.org/proj/linux-patches.git/tree/1510_fs-enable-link-security-restrictions-by-default.patch?h=5.16 On top of this, systemd has a sysctl.d drop-in that sets all of these flags: $ grep fs.protected /usr/lib/sysctl.d/50-default.conf fs.protected_hardlinks = 1 fs.protected_symlinks = 1 fs.protected_regular = 1 fs.protected_fifos = 1 So only non-systemd users should be affected here. CCing kernel team to see if they can extend the first patch to also apply the protected_regular and protected_fifos flags.
Since systemd already fixes this, also CCing openrc and baselayout maintainers in case they want to also fix this in their respective packages.
(In reply to John Helmert III from comment #2) > Since systemd already fixes this, also CCing openrc and baselayout > maintainers in case they want to also fix this in their respective packages. I can add this to the existing genpatches patch.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85149b19f5c4fe8d0fa8bd8d352b6560ac6b964e commit 85149b19f5c4fe8d0fa8bd8d352b6560ac6b964e Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-03-02 14:08:40 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-03-02 14:08:40 +0000 sys-kernel/gentoo-sources: Linux patch 5.16.12 and genpatches Update default sec restrictions Closes: https://bugs.gentoo.org/834085 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.16.12.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4db791b9da99f1f6cf76df6c4f590046dcc65161 commit 4db791b9da99f1f6cf76df6c4f590046dcc65161 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-03-02 14:08:02 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-03-02 14:08:02 +0000 sys-kernel/gentoo-sources: Linux patch 5.15.26 and genpatches Update default sec restrictions Bug: https://bugs.gentoo.org/834085 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.15.26.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bbf94ff6ca20726f0e9b20578f3db264aa0a86b commit 9bbf94ff6ca20726f0e9b20578f3db264aa0a86b Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-03-02 14:07:20 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-03-02 14:07:20 +0000 sys-kernel/gentoo-sources: Linux patch 5.10.103 and genpatches Update default sec restrictions Bug: https://bugs.gentoo.org/834085 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.10.103.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=344e1a202c490d1ed7d547b73d17919d110fd838 commit 344e1a202c490d1ed7d547b73d17919d110fd838 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-03-02 14:06:39 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-03-02 14:06:39 +0000 sys-kernel/gentoo-sources: Linux patch 5.4. 182 and genpatches Update default sec restrictions Bug: https://bugs.gentoo.org/834085 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.4.182.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a42f74cccaac3c5d6610411bed168acd37aad03 commit 5a42f74cccaac3c5d6610411bed168acd37aad03 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-03-02 14:05:40 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-03-02 14:05:40 +0000 sys-kernel/gentoo-sources: Linux patch 4.19.232 and genpatches Update default sec restrictions Bug: https://bugs.gentoo.org/834085 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-4.19.232.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8027602c6b85f47f618c5b3bd2bbb08efbdc127a commit 8027602c6b85f47f618c5b3bd2bbb08efbdc127a Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-03-02 14:04:00 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-03-02 14:04:00 +0000 sys-kernel/gentoo-sources: Linux patch 4.14.269 and genpatches Update default sec restrictions Bug: https://bugs.gentoo.org/834085 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-4.14.269.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d35667711bce9294ab5f03064fd3f6cb5857e1b commit 5d35667711bce9294ab5f03064fd3f6cb5857e1b Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-03-02 13:58:56 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-03-02 14:00:24 +0000 sys-kernel/gentoo-sources: Linux patch 4.9.304 and one additional patch Update default sec restrictions Bug: https://bugs.gentoo.org/834085 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-4.9.304.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+)