704914 – Enable protected_symlinks/protected_hardlinks by default in baselayout/sysctl.conf

Bug 704914 - Enable protected_symlinks/protected_hardlinks by default in baselayout/sysctl.conf

Summary: Enable protected_symlinks/protected_hardlinks by default in baselayout/sysctl...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	737664
Blocks:
	Show dependency tree

Reported:	2020-01-07 08:50 UTC by Hanno Böck
Modified:	2020-08-30 22:02 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2020-01-07 08:50:55 UTC

By default chown traverses through symlinks and hardlinks, which can enable a class of attacks if a chown is called on a path in a user-writable directory.
There are currently two unfixed bugs against openrc/opentmpfiles [1] [2] which demonstrate such vulnerabilities.

The kernel provides hardening features that prevent these attacks which can be enabled via sysctl (fs.protected_symlinks/fs.protected_hardlinks). This is currently default-enabled by gentoo-sources [3], which effectively means users of other kernels (vanilla-sources or manually installed kernels) are unprotected.

We should consider enabling these options via sysctl.conf by default in baselayout.

This could of course in theory break applications that rely on the chown-traversal behavior. I'm not aware of such applications though (and they already wouldn't work with gentoo-sources).

[1] https://github.com/OpenRC/opentmpfiles/issues/3
[2] https://github.com/OpenRC/opentmpfiles/issues/4
[3] https://dev.gentoo.org/~mpagano/genpatches/trunk/5.5/1510_fs-enable-link-security-restrictions-by-default.patch

Comment 1 William Hubbs gentoo-dev

2020-01-07 14:07:38 UTC

I tend to agree that baselayout is the better place for this.
I will leave the bug here however for a few days to give people time to
propose other options.

If nothing else has been proposed by the weekend, I will release a new
baselayout that enables these by default.

Comment 2 Michael Orlitzky gentoo-dev

2020-01-07 14:46:19 UTC

Setting these sysctls is probably a good idea. The reason upstream hasn't done it is because it breaks POSIX.

But let's not pretend that it fixes the vulnerabilities in opentmpfiles. It turns the trivial exploit in issue #3 into a race condition, and it has no effect on issue #4.

Comment 3 Mike Gilbert gentoo-dev

2020-01-07 17:30:32 UTC

The modern way to implement this would be a snippet installed in /usr/lib/sysctl.d rather than adding them to /etc/sysctl.conf.

Comment 4 William Hubbs gentoo-dev

2020-02-06 02:11:51 UTC

I plan to do a new baselayout release this weekend that fixes this.

Comment 5 Larry the Git Cow gentoo-dev

2020-02-10 04:21:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/baselayout.git/commit/?id=14c91b2c9dc77d6fc81746b999b92187bd9cac82

commit 14c91b2c9dc77d6fc81746b999b92187bd9cac82
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-02-10 01:47:40 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-02-10 04:12:03 +0000

    enable protected_symlinks and protected_hardlinks by default
    
    Bug:  https://bugs.gentoo.org/704914
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 etc.Linux/sysctl.d/00protected-links.conf |  2 ++
 etc.Linux/sysctl.d/README                 | 15 +++++++++++++++
 2 files changed, 17 insertions(+)

Comment 6 William Hubbs gentoo-dev

2020-02-10 04:33:54 UTC

baselayout 2.7 contains this fix.