Mailinglist Archive: opensuse (924 mails)

< Previous Next >
[opensuse] Testing symlink protection in Kernel 3.6?
Hello,

I installed the 3.6 Kernel update from
download.opensuse.org/repositories/Kernel:/stable/standard/. I'd
like to check, if the symlink protection of Kernel 3.6 is working.
The symlink protection seems to be enabled by default. Anyway, I
can use symlinks in /tmp like before without much limitations.

Is this the expected behavior?

# uname -r
3.6.0-2-desktop
# cat /proc/sys/fs/protected_symlinks
1
# cat /proc/sys/fs/protected_hardlinks
1
# ln -sv /usr/bin /tmp/usrbin
‘/tmp/usrbin’ -> ‘/usr/bin’
# l /tmp/usrbin
lrwxrwxrwx 1 root root 8 Oct 10 10:23 /tmp/usrbin -> /usr/bin/
# l /tmp/usrbin/sudo
-rwsr-xr-x 1 root root 121240 Jul 16 14:57 /tmp/usrbin/sudo*
# ls -ld /tmp
drwxrwxrwt 47 root root 57344 Oct 10 10:23 /tmp
# /tmp/usrbin/sudo -V
Sudo version 1.8.5p2
[...]

The only limitation I found is, that the listing of symlinked
directories is disabled, if the UIDs do not match:

# su -s /bin/bash mail
# id
uid=8(mail) gid=12(mail) groups=12(mail)
# ln -sv /usr/bin /tmp/usrbin2
‘/tmp/usrbin2’ -> ‘/usr/bin’
# exit
# id
uid=0(root) gid=0(root) groups=0(root)
# ls -l /tmp/usrbin2
lrwxrwxrwx 1 mail mail 8 Oct 10 10:35 /tmp/usrbin2 -> /usr/bin
# ls -l /tmp/usrbin2/
ls: cannot access /tmp/usrbin2/: Permission denied
# echo hello > /tmp/usrbin2/abc
# cat /tmp/usrbin2/abc
hello
# rm /tmp/usrbin2/abc

Björn
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages