FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 03-02-2012, 04:11 AM
Ben Hutchings
 
Default Linux kernel hardening - link restrictions

The longstanding link restriction patches were recently accepted by
Andrew Morton and are likely to end up in Linux 3.4. I've applied
these to src:linux-2.6 in svn and they should end up in the upcoming
version 3.2.9-1.

We know that these are going to break some programs, most notably
'at' (#597130, fixed in wheezy/sid). But of course it's possible
to work around that by disabling the restriction, so I don't think
this should result in a 'Breaks' relation.

I'm therefore intending to warn about this with the following NEWS
entry in the linux-image metapackages:

Index: debian/linux-image.NEWS
================================================== =================
--- debian/linux-image.NEWS (revision 18757)
+++ debian/linux-image.NEWS (working copy)
@@ -1,3 +1,18 @@
+linux-latest (44) unstable; urgency=low
+
+ * The new kernel version includes security restrictions on links, which
+ are enabled by default. These are specified in
+ Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
+ packages.
+
+ These restrictions may cause some legitimate programs to fail.
+ In particular, if the 'at' package is installed, you should either:
+ - Upgrade it to at least version 3.1.13-1 (or a backport of that)
+ or:
+ - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
+
+ -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
+
linux-latest-2.6 (26) unstable; urgency=low

* The old IDE (PATA) drivers are no longer developed. Most PATA
--- END ---

(Why in the metapackages, you ask? Because apt-listchanges shows NEWS
from upgraded packages, not new packages.)

Does anyone have a better idea how to do this? Know about other
packages that are affected?

Ben.

--
Ben Hutchings
One of the nice things about standards is that there are so many of them.


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120302051158.GU12704@decadent.org.uk">http://lists.debian.org/20120302051158.GU12704@decadent.org.uk
 
Old 03-02-2012, 04:11 AM
Ben Hutchings
 
Default Linux kernel hardening - link restrictions

The longstanding link restriction patches were recently accepted by
Andrew Morton and are likely to end up in Linux 3.4. I've applied
these to src:linux-2.6 in svn and they should end up in the upcoming
version 3.2.9-1.

We know that these are going to break some programs, most notably
'at' (#597130, fixed in wheezy/sid). But of course it's possible
to work around that by disabling the restriction, so I don't think
this should result in a 'Breaks' relation.

I'm therefore intending to warn about this with the following NEWS
entry in the linux-image metapackages:

Index: debian/linux-image.NEWS
================================================== =================
--- debian/linux-image.NEWS (revision 18757)
+++ debian/linux-image.NEWS (working copy)
@@ -1,3 +1,18 @@
+linux-latest (44) unstable; urgency=low
+
+ * The new kernel version includes security restrictions on links, which
+ are enabled by default. These are specified in
+ Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
+ packages.
+
+ These restrictions may cause some legitimate programs to fail.
+ In particular, if the 'at' package is installed, you should either:
+ - Upgrade it to at least version 3.1.13-1 (or a backport of that)
+ or:
+ - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
+
+ -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
+
linux-latest-2.6 (26) unstable; urgency=low

* The old IDE (PATA) drivers are no longer developed. Most PATA
--- END ---

(Why in the metapackages, you ask? Because apt-listchanges shows NEWS
from upgraded packages, not new packages.)

Does anyone have a better idea how to do this? Know about other
packages that are affected?

Ben.

--
Ben Hutchings
One of the nice things about standards is that there are so many of them.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120302051158.GU12704@decadent.org.uk">http://lists.debian.org/20120302051158.GU12704@decadent.org.uk
 
Old 03-02-2012, 04:40 AM
Kees Cook
 
Default Linux kernel hardening - link restrictions

On Fri, Mar 02, 2012 at 05:11:58AM +0000, Ben Hutchings wrote:
> The longstanding link restriction patches were recently accepted by
> Andrew Morton and are likely to end up in Linux 3.4. I've applied
> these to src:linux-2.6 in svn and they should end up in the upcoming
> version 3.2.9-1.

That's excellent news! (I am biased, obviously.)

> We know that these are going to break some programs, most notably
> 'at' (#597130, fixed in wheezy/sid). But of course it's possible
> to work around that by disabling the restriction, so I don't think
> this should result in a 'Breaks' relation.

FWIW, as some background, "at" is the only package that I'm aware of
breaking across 1.5 years of (a version of) this patch living in Ubuntu,
and in many more years living in Openwall Linux and grsecurity. So I
feel like "going to break some" is strong.

> I'm therefore intending to warn about this with the following NEWS
> entry in the linux-image metapackages:
>
> Index: debian/linux-image.NEWS
> ================================================== =================
> --- debian/linux-image.NEWS (revision 18757)
> +++ debian/linux-image.NEWS (working copy)
> @@ -1,3 +1,18 @@
> +linux-latest (44) unstable; urgency=low
> +
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.
> +
> + These restrictions may cause some legitimate programs to fail.
> + In particular, if the 'at' package is installed, you should either:
> + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> + or:
> + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> +
> + -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
> +

This seems like a sensible NEWS item to me. The use of "may break"
seems better than "going to break some".

> linux-latest-2.6 (26) unstable; urgency=low
>
> * The old IDE (PATA) drivers are no longer developed. Most PATA
> --- END ---
>
> (Why in the metapackages, you ask? Because apt-listchanges shows NEWS
> from upgraded packages, not new packages.)
>
> Does anyone have a better idea how to do this? Know about other
> packages that are affected?

It's a trivial patch[1] to fix "at". How about just backporting that
change to stable, to avoid that known trouble too? This is what Ubuntu
did for the Lucid LTS release that was getting backported kernels (with
link restrictions) built for it.

-Kees

[1] http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf9 40a49eda3279

--
Kees Cook @debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120302054021.GU3990@outflux.net">http://lists.debian.org/20120302054021.GU3990@outflux.net
 
Old 03-02-2012, 04:40 AM
Kees Cook
 
Default Linux kernel hardening - link restrictions

On Fri, Mar 02, 2012 at 05:11:58AM +0000, Ben Hutchings wrote:
> The longstanding link restriction patches were recently accepted by
> Andrew Morton and are likely to end up in Linux 3.4. I've applied
> these to src:linux-2.6 in svn and they should end up in the upcoming
> version 3.2.9-1.

That's excellent news! (I am biased, obviously.)

> We know that these are going to break some programs, most notably
> 'at' (#597130, fixed in wheezy/sid). But of course it's possible
> to work around that by disabling the restriction, so I don't think
> this should result in a 'Breaks' relation.

FWIW, as some background, "at" is the only package that I'm aware of
breaking across 1.5 years of (a version of) this patch living in Ubuntu,
and in many more years living in Openwall Linux and grsecurity. So I
feel like "going to break some" is strong.

> I'm therefore intending to warn about this with the following NEWS
> entry in the linux-image metapackages:
>
> Index: debian/linux-image.NEWS
> ================================================== =================
> --- debian/linux-image.NEWS (revision 18757)
> +++ debian/linux-image.NEWS (working copy)
> @@ -1,3 +1,18 @@
> +linux-latest (44) unstable; urgency=low
> +
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.
> +
> + These restrictions may cause some legitimate programs to fail.
> + In particular, if the 'at' package is installed, you should either:
> + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> + or:
> + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> +
> + -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
> +

This seems like a sensible NEWS item to me. The use of "may break"
seems better than "going to break some".

> linux-latest-2.6 (26) unstable; urgency=low
>
> * The old IDE (PATA) drivers are no longer developed. Most PATA
> --- END ---
>
> (Why in the metapackages, you ask? Because apt-listchanges shows NEWS
> from upgraded packages, not new packages.)
>
> Does anyone have a better idea how to do this? Know about other
> packages that are affected?

It's a trivial patch[1] to fix "at". How about just backporting that
change to stable, to avoid that known trouble too? This is what Ubuntu
did for the Lucid LTS release that was getting backported kernels (with
link restrictions) built for it.

-Kees

[1] http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf9 40a49eda3279

--
Kees Cook @debian.org


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120302054021.GU3990@outflux.net">http://lists.debian.org/20120302054021.GU3990@outflux.net
 
Old 03-02-2012, 04:48 AM
Jonas Smedegaard
 
Default Linux kernel hardening - link restrictions

On 12-03-02 at 05:11am, Ben Hutchings wrote:
> The longstanding link restriction patches were recently accepted by
> Andrew Morton and are likely to end up in Linux 3.4. I've applied
> these to src:linux-2.6 in svn and they should end up in the upcoming
> version 3.2.9-1.
>
> We know that these are going to break some programs, most notably
> 'at' (#597130, fixed in wheezy/sid). But of course it's possible
> to work around that by disabling the restriction, so I don't think
> this should result in a 'Breaks' relation.
>
> I'm therefore intending to warn about this with the following NEWS
> entry in the linux-image metapackages:
>
> Index: debian/linux-image.NEWS
> ================================================== =================
> --- debian/linux-image.NEWS (revision 18757)
> +++ debian/linux-image.NEWS (working copy)
> @@ -1,3 +1,18 @@
> +linux-latest (44) unstable; urgency=low
> +
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.
> +
> + These restrictions may cause some legitimate programs to fail.
> + In particular, if the 'at' package is installed, you should either:
> + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> + or:
> + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> +
> + -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
> +
> linux-latest-2.6 (26) unstable; urgency=low
>
> * The old IDE (PATA) drivers are no longer developed. Most PATA
> --- END ---
>
> (Why in the metapackages, you ask? Because apt-listchanges shows NEWS
> from upgraded packages, not new packages.)
>
> Does anyone have a better idea how to do this? Know about other
> packages that are affected?

I suggest to add it to *both* metapackages and real packages: Some may
not use the metapackages and may inspect the NEWS file by other means
than via apt-listchanges (which I guess is what you are talking about).


Regards,

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private
 
Old 03-02-2012, 04:48 AM
Jonas Smedegaard
 
Default Linux kernel hardening - link restrictions

On 12-03-02 at 05:11am, Ben Hutchings wrote:
> The longstanding link restriction patches were recently accepted by
> Andrew Morton and are likely to end up in Linux 3.4. I've applied
> these to src:linux-2.6 in svn and they should end up in the upcoming
> version 3.2.9-1.
>
> We know that these are going to break some programs, most notably
> 'at' (#597130, fixed in wheezy/sid). But of course it's possible
> to work around that by disabling the restriction, so I don't think
> this should result in a 'Breaks' relation.
>
> I'm therefore intending to warn about this with the following NEWS
> entry in the linux-image metapackages:
>
> Index: debian/linux-image.NEWS
> ================================================== =================
> --- debian/linux-image.NEWS (revision 18757)
> +++ debian/linux-image.NEWS (working copy)
> @@ -1,3 +1,18 @@
> +linux-latest (44) unstable; urgency=low
> +
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.
> +
> + These restrictions may cause some legitimate programs to fail.
> + In particular, if the 'at' package is installed, you should either:
> + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> + or:
> + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> +
> + -- Ben Hutchings <ben@decadent.org.uk> Fri, 02 Mar 2012 04:58:24 +0000
> +
> linux-latest-2.6 (26) unstable; urgency=low
>
> * The old IDE (PATA) drivers are no longer developed. Most PATA
> --- END ---
>
> (Why in the metapackages, you ask? Because apt-listchanges shows NEWS
> from upgraded packages, not new packages.)
>
> Does anyone have a better idea how to do this? Know about other
> packages that are affected?

I suggest to add it to *both* metapackages and real packages: Some may
not use the metapackages and may inspect the NEWS file by other means
than via apt-listchanges (which I guess is what you are talking about).


Regards,

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private
 
Old 03-02-2012, 06:43 AM
Lars Wirzenius
 
Default Linux kernel hardening - link restrictions

On Fri, Mar 02, 2012 at 05:11:58AM +0000, Ben Hutchings wrote:
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.

It'd be helpful to also point at a web page where one can read that text.

--
All my predictions will turn out to be false
 
Old 03-02-2012, 06:43 AM
Lars Wirzenius
 
Default Linux kernel hardening - link restrictions

On Fri, Mar 02, 2012 at 05:11:58AM +0000, Ben Hutchings wrote:
> + * The new kernel version includes security restrictions on links, which
> + are enabled by default. These are specified in
> + Documentation/sysctl/fs.txt in the linux-doc-3.2 and linux-source-3.2
> + packages.

It'd be helpful to also point at a web page where one can read that text.

--
All my predictions will turn out to be false
 
Old 03-02-2012, 09:47 AM
Holger Levsen
 
Default Linux kernel hardening - link restrictions

Hi,

On Freitag, 2. März 2012, Kees Cook wrote:
> > + * The new kernel version includes security restrictions on links,
> > + These restrictions may cause some legitimate programs to fail.
> > + In particular, if the 'at' package is installed, you should either:
> > + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> > + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> It's a trivial patch[1] to fix "at". How about just backporting that
> change to stable, to avoid that known trouble too? This is what Ubuntu
> did for the Lucid LTS release that was getting backported kernels (with
> link restrictions) built for it.

sounds like a reasonable plan to me, cc:ing debian-release to get a comment
on this, and cc:ing the at maintainer too.

> [1]
> http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf9 40a49eda3279


cheers,
Holger


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201203021147.16121.holger@layer-acht.org">http://lists.debian.org/201203021147.16121.holger@layer-acht.org
 
Old 03-02-2012, 09:47 AM
Holger Levsen
 
Default Linux kernel hardening - link restrictions

Hi,

On Freitag, 2. März 2012, Kees Cook wrote:
> > + * The new kernel version includes security restrictions on links,
> > + These restrictions may cause some legitimate programs to fail.
> > + In particular, if the 'at' package is installed, you should either:
> > + - Upgrade it to at least version 3.1.13-1 (or a backport of that)
> > + - Set sysctl fs.protected_hardlinks=0 (see /etc/sysctl.conf)
> It's a trivial patch[1] to fix "at". How about just backporting that
> change to stable, to avoid that known trouble too? This is what Ubuntu
> did for the Lucid LTS release that was getting backported kernels (with
> link restrictions) built for it.

sounds like a reasonable plan to me, cc:ing debian-release to get a comment
on this, and cc:ing the at maintainer too.

> [1]
> http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf9 40a49eda3279


cheers,
Holger


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201203021147.16121.holger@layer-acht.org">http://lists.debian.org/201203021147.16121.holger@layer-acht.org
 

Thread Tools




All times are GMT. The time now is 10:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org