# su - nobody
No directory, logging in with HOME=/
nobody@jidanni2:/$ date > /tmp/cc
nobody@jidanni2:/$ ln -s /tmp/cc /tmp/dd
nobody@jidanni2:/$ ls -l /tmp/cc /tmp/dd
-rw-r--r-- 1 nobody nogroup 29 Sep 7 08:37 /tmp/cc
lrwxrwxrwx 1 nobody nogroup 7 Sep 7 08:37 /tmp/dd -> /tmp/cc
nobody@jidanni2:/$ su -
# cat /tmp/cc /tmp/dd
Fri Sep 7 08:37:38 CST 2012
cat: /tmp/dd: Permission denied
# tail /var/log/syslog
Sep 7 08:36:46 jidanni2 kernel: [19394.443080] type=1400 audit(1346978206.292:11): op=follow_link action=denied pid=19327 comm="cat" path="/tmp/bb" dev="tmpfs" ino=275448
# uname -a
Linux jidanni2 3.2.0-3-486 #1 Mon Jul 23 02:47:49 UTC 2012 i686 GNU/Linux
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87fw6ups54.fsf@jidanni.org">http://lists.debian.org/87fw6ups54.fsf@jidanni.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120907015008.GL6169@yuggoth.org">http://lists.debian.org/20120907015008.GL6169@yuggoth.org
09-07-2012, 01:56 AM
Paul Wise
even root cannot read my symlinks!
On Fri, Sep 7, 2012 at 9:50 AM, The Fungi wrote:
> http://lwn.net/Articles/502621/
The file and symlink have the same owner so that is unlikely to be the
cause, unless the feature is buggy.
--
bye,
pabs
http://wiki.debian.org/PaulWise
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAKTje6FZhCqobfYr5r84-gQaa+HqPWmGpDhS6BZBbRnX8MbkDw@mail.gmail.com">http ://lists.debian.org/CAKTje6FZhCqobfYr5r84-gQaa+HqPWmGpDhS6BZBbRnX8MbkDw@mail.gmail.com
09-07-2012, 02:11 AM
Ben Hutchings
even root cannot read my symlinks!
On Fri, 2012-09-07 at 08:56 +0800, jidanni@jidanni.org wrote:
> # su - nobody
> No directory, logging in with HOME=/
> nobody@jidanni2:/$ date > /tmp/cc
> nobody@jidanni2:/$ ln -s /tmp/cc /tmp/dd
> nobody@jidanni2:/$ ls -l /tmp/cc /tmp/dd
> -rw-r--r-- 1 nobody nogroup 29 Sep 7 08:37 /tmp/cc
> lrwxrwxrwx 1 nobody nogroup 7 Sep 7 08:37 /tmp/dd -> /tmp/cc
> nobody@jidanni2:/$ su -
> # cat /tmp/cc /tmp/dd
> Fri Sep 7 08:37:38 CST 2012
> cat: /tmp/dd: Permission denied
> # tail /var/log/syslog
> Sep 7 08:36:46 jidanni2 kernel: [19394.443080] type=1400 audit(1346978206.292:11): op=follow_link action=denied pid=19327 comm="cat" path="/tmp/bb" dev="tmpfs" ino=275448
> # uname -a
> Linux jidanni2 3.2.0-3-486 #1 Mon Jul 23 02:47:49 UTC 2012 i686 GNU/Linux
linux-2.6 (3.2.9-1) unstable; urgency=high
[...]
* fs: Introduce and enable security restrictions on links:
- Do not follow symlinks in /tmp that are owned by other users
(sysctl: fs.protected_symlinks)
- Do not allow unprivileged users to create hard links to sensitive files
(sysctl: fs.protected_hardlinks) (Closes: #609455)
+ This breaks the 'at' package in stable, which will be fixed shortly
(see #597130)
The precise restrictions are specified in Documentation/sysctl/fs.txt in
the linux-doc-3.2 and linux-source-3.2 packages.
--
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
- Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
09-07-2012, 02:12 AM
Ben Hutchings
even root cannot read my symlinks!
On Fri, 2012-09-07 at 09:56 +0800, Paul Wise wrote:
> On Fri, Sep 7, 2012 at 9:50 AM, The Fungi wrote:
>
> > http://lwn.net/Articles/502621/
>
> The file and symlink have the same owner so that is unlikely to be the
> cause, unless the feature is buggy.
The comparison is between the owner of the symlink and the user trying
to follow it.
Ben.
--
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
- Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
09-08-2012, 10:06 PM
even root cannot read my symlinks!
I see.
Who knows what they'll break next.
Perhaps next time add a note to
/usr/share/doc/linux-image-486/NEWS.Debian.gz
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87ligki2zp.fsf@jidanni.org">http://lists.debian.org/87ligki2zp.fsf@jidanni.org
09-09-2012, 12:54 AM
Ben Hutchings
even root cannot read my symlinks!
On Sun, 2012-09-09 at 06:06 +0800, jidanni@jidanni.org wrote:
> I see.
> Who knows what they'll break next.
Do you use any particular obscure features that I could suggest?
> Perhaps next time add a note to
> /usr/share/doc/linux-image-486/NEWS.Debian.gz
I originally proposed to do this when discussing these changes on
debian-devel and debian-kernel. However, these changes were previously
applied in other distributions and the only application found to be
affected was 'at' (which has been fixed in a stable update).
NEWS is not a listing of every change that could possibly cause a
regression.
Ben.
--
Ben Hutchings
Time is nature's way of making sure that everything doesn't happen at once.
09-09-2012, 03:17 AM
Nick Leverton
even root cannot read my symlinks!
On Sun, Sep 09, 2012 at 01:54:20AM +0100, Ben Hutchings wrote:
> On Sun, 2012-09-09 at 06:06 +0800, jidanni@jidanni.org wrote:
> > I see.
> > Who knows what they'll break next.
>
> Do you use any particular obscure features that I could suggest?
Networking, keyboards, rotating media ...
Nick
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120909031700.GA26265@leverton.org">http://lists.debian.org/20120909031700.GA26265@leverton.org
even root cannot read my symlinks!
