By default chown traverses through symlinks and hardlinks, which can enable a class of attacks if a chown is called on a path in a user-writable directory. There are currently two unfixed bugs against openrc/opentmpfiles [1] [2] which demonstrate such vulnerabilities. The kernel provides hardening features that prevent these attacks which can be enabled via sysctl (fs.protected_symlinks/fs.protected_hardlinks). This is currently default-enabled by gentoo-sources [3], which effectively means users of other kernels (vanilla-sources or manually installed kernels) are unprotected. We should consider enabling these options via sysctl.conf by default in baselayout. This could of course in theory break applications that rely on the chown-traversal behavior. I'm not aware of such applications though (and they already wouldn't work with gentoo-sources). [1] https://github.com/OpenRC/opentmpfiles/issues/3 [2] https://github.com/OpenRC/opentmpfiles/issues/4 [3] https://dev.gentoo.org/~mpagano/genpatches/trunk/5.5/1510_fs-enable-link-security-restrictions-by-default.patch
I tend to agree that baselayout is the better place for this. I will leave the bug here however for a few days to give people time to propose other options. If nothing else has been proposed by the weekend, I will release a new baselayout that enables these by default.
Setting these sysctls is probably a good idea. The reason upstream hasn't done it is because it breaks POSIX. But let's not pretend that it fixes the vulnerabilities in opentmpfiles. It turns the trivial exploit in issue #3 into a race condition, and it has no effect on issue #4.
The modern way to implement this would be a snippet installed in /usr/lib/sysctl.d rather than adding them to /etc/sysctl.conf.
I plan to do a new baselayout release this weekend that fixes this.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/baselayout.git/commit/?id=14c91b2c9dc77d6fc81746b999b92187bd9cac82 commit 14c91b2c9dc77d6fc81746b999b92187bd9cac82 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-02-10 01:47:40 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-02-10 04:12:03 +0000 enable protected_symlinks and protected_hardlinks by default Bug: https://bugs.gentoo.org/704914 Signed-off-by: William Hubbs <williamh@gentoo.org> etc.Linux/sysctl.d/00protected-links.conf | 2 ++ etc.Linux/sysctl.d/README | 15 +++++++++++++++ 2 files changed, 17 insertions(+)
baselayout 2.7 contains this fix.