Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120219123151.GA25900@elte.hu>
Date: Sun, 19 Feb 2012 13:31:51 +0100
From: Ingo Molnar <mingo@...e.hu>
To: Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Rik van Riel <riel@...hat.com>,
	Federica Teodori <federica.teodori@...glemail.com>,
	Lucian Adrian Grijincu <lucian.grijincu@...il.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Eric Paris <eparis@...hat.com>, Randy Dunlap <rdunlap@...otime.net>,
	Dan Rosenberg <drosenberg@...curity.com>, linux-doc@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2012.2] fs: symlink restrictions on sticky directories


* Kees Cook <keescook@...omium.org> wrote:

> >> > I think I disagree with this. __If the person compiling 
> >> > the kernel includes the feature in his kernel via the 
> >> > time-honoured process of "wtf is that thing? __Yeah, 
> >> > whatev", it gets turned on by default. __This could 
> >> > easily result in weird failures which would take a *long* 
> >> > time for an unsuspecting person to debug.
> >> >
> >> > Would it not be kinder to our users to start this out as 
> >> > turned-off-at-runtime unless the kernel configurer has 
> >> > deliberately gone in and enabled it?
> >>
> >> There was a fair bit of back-and-forth discussion about it. 
> >> Originally, I had it disabled, but, IIRC, Ingo urged me to 
> >> have it be the default. I can sent a patch to disable it if 
> >> you want.
> >
> > What is the reasoning behind the current setting?
> 
> The logic is currently:
> 
> - from a security perspective, enabling the restriction is 
> safer
> - in the last many years, nothing has been found to be
>  broken by this restriction
> 
> The evidence for the second part mostly comes from people's 
> recollections using OpenWall, grsecurity, and lately Ubuntu. I 
> can speak from the Ubuntu history, which is that in the 1.5 
> years the symlink restriction has been enabled, no bugs about 
> it were reported that I'm aware of (and I was aware of, and 
> fixed, several of bugs in the other restrictions that are 
> carried in Ubuntu).

I'd say all this current evidence suggests that it should be on 
by default - having it off only helps attackers and hermite 
systems.

So at minimum we should wait until the first regression report 
before twiddling it off. I could be wrong though.

Thanks,

	Ingo

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.