info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1002064: default kernel setting protected_regular=2 breaks file system access and is hard to fix
1,273 views
Skip to first unread message
Daniel Feuchtinger
Dec 21, 2021, 6:00:04 AM12/21/21
to
Package: procps
Version: 2:3.3.17-5
Package: systemd
Version: 247.3-6
Debian 11 introduces a new feature, that prevents users from writing to files that they don't own ignoring the file permissions
(see https://github.com/torvalds/linux/commit/30aba6656f ).
1. I think, that should not be the default behaviour but opt in.
2. If you fix it (write "fs.protected_regular=0" to /etc/sysctl.conf) that fix should work.
The packages procps contains the file /usr/lib/sysctl.d/protect-links.conf with the line
"fs.protected_regular = 2" that is loaded after /etc/sysctl.conf and breaks the fix.
If I remove / alter the file in /usr/lib/sysctl.d, it may be overwritten with the next update.
I don't know who's to blaim, systemd not loading the files in a sensible order or
procps for putting the file in the wrong place? I suspect it's systemd, /etc/* should
override /usr/* ?
A side note: I found no mention of this in the release notes or anyhwere els on
a debian site. For a change that severe, some documentation would have been helpful.
Suggestion: put a commented line in /etc/sysctl.conf
Version: 2:3.3.17-5
Package: systemd
Version: 247.3-6
Debian 11 introduces a new feature, that prevents users from writing to files that they don't own ignoring the file permissions
(see https://github.com/torvalds/linux/commit/30aba6656f ).
1. I think, that should not be the default behaviour but opt in.
2. If you fix it (write "fs.protected_regular=0" to /etc/sysctl.conf) that fix should work.
The packages procps contains the file /usr/lib/sysctl.d/protect-links.conf with the line
"fs.protected_regular = 2" that is loaded after /etc/sysctl.conf and breaks the fix.
If I remove / alter the file in /usr/lib/sysctl.d, it may be overwritten with the next update.
I don't know who's to blaim, systemd not loading the files in a sensible order or
procps for putting the file in the wrong place? I suspect it's systemd, /etc/* should
override /usr/* ?
A side note: I found no mention of this in the release notes or anyhwere els on
a debian site. For a change that severe, some documentation would have been helpful.
Suggestion: put a commented line in /etc/sysctl.conf
Ansgar
Dec 21, 2021, 6:20:04 AM12/21/21
to
reassign 1002064 procps 2:3.3.17-5
On Tue, 2021-12-21 at 11:49 +0100, Daniel Feuchtinger wrote:
> Debian 11 introduces a new feature, that prevents users from writing
> to files that they don't own ignoring the file permissions
> (see https://github.com/torvalds/linux/commit/30aba6656f ).
>
> 1. I think, that should not be the default behaviour but opt in.
I disagree: it is a sensible change. If you want an insecure
configuration, you should have to explicitly configure your system to
be so.
> 2. If you fix it (write "fs.protected_regular=0" to /etc/sysctl.conf)
> that fix should work.
You need to write to /etc/sysctl.d/protect-links.conf to overwrite
settings in /usr/lib/sysctl.d/protect-links.conf.
See the "examples" section in man:systemd-sysctl(8).
Ansgar
On Tue, 2021-12-21 at 11:49 +0100, Daniel Feuchtinger wrote:
> Debian 11 introduces a new feature, that prevents users from writing
> to files that they don't own ignoring the file permissions
> (see https://github.com/torvalds/linux/commit/30aba6656f ).
>
> 1. I think, that should not be the default behaviour but opt in.
configuration, you should have to explicitly configure your system to
be so.
> 2. If you fix it (write "fs.protected_regular=0" to /etc/sysctl.conf)
> that fix should work.
settings in /usr/lib/sysctl.d/protect-links.conf.
See the "examples" section in man:systemd-sysctl(8).
Ansgar
Chris Hofstaedtler
Dec 21, 2021, 6:30:04 AM12/21/21
to
[neither systemd or procps maintainer here]
* Daniel Feuchtinger <daniel.fe...@lrz.de> [211221 11:14]:
files: if you want to override /usr/lib/sysctl.d/protect-links.conf,
you must do so in a file named /etc/sysctl.d/protect-links.conf .
You can then verify this will work by checking the output of
/lib/systemd/systemd-sysctl --cat-config
HTH,
Chris
* Daniel Feuchtinger <daniel.fe...@lrz.de> [211221 11:14]:
> The packages procps contains the file /usr/lib/sysctl.d/protect-links.conf with the line
> "fs.protected_regular = 2" that is loaded after /etc/sysctl.conf and breaks the fix.
>
> If I remove / alter the file in /usr/lib/sysctl.d, it may be overwritten with the next update.
>
> I don't know who's to blaim, systemd not loading the files in a sensible order or
> procps for putting the file in the wrong place? I suspect it's systemd, /etc/* should
> override /usr/* ?
systemd-sysctl uses the common logic for systemd-related config
> "fs.protected_regular = 2" that is loaded after /etc/sysctl.conf and breaks the fix.
>
> If I remove / alter the file in /usr/lib/sysctl.d, it may be overwritten with the next update.
>
> I don't know who's to blaim, systemd not loading the files in a sensible order or
> procps for putting the file in the wrong place? I suspect it's systemd, /etc/* should
> override /usr/* ?
files: if you want to override /usr/lib/sysctl.d/protect-links.conf,
you must do so in a file named /etc/sysctl.d/protect-links.conf .
You can then verify this will work by checking the output of
/lib/systemd/systemd-sysctl --cat-config
HTH,
Chris
Daniel Feuchtinger
Dec 21, 2021, 4:10:03 PM12/21/21
to
Am 21.12.21 um 12:10 schrieb Ansgar:
You try to write to a file and it does not work (funny: touch does work)
You check the file permissions
You check the extended attributes
You search for erros and logs
You check app armor
You check the debian release notes
You search for strange security features, breaking basic file system functionality
...
You'll find nothing (you'll find something,
if you know the result of your search).
File access rights are a not corner case feature of some
special programm with security holes, it's a basic file
system feature that is now "broken".
To introduce that without a visibile mention
is giving your users the finger in my opinion.
>
>> 2. If you fix it (write "fs.protected_regular=0" to /etc/sysctl.conf)
>> that fix should work.
>
> You need to write to /etc/sysctl.d/protect-links.conf to overwrite
> settings in /usr/lib/sysctl.d/protect-links.conf.
Thanks for the solution.
>
> See the "examples" section in man:systemd-sysctl(8).
I still think, that a hint in /etc/sysctl.conf, that this
file is not working as expected, would be user friendly.
Or: If you break it, why not remove it?
Anyway, you might as well close this bug, if there's no
chance of changing the default behaviour. I guess for
a visible mention in the release notes, it is already
too late.
Thanks for your work, I like debian, I just disagree with
your choices in this case.
Daniel
> reassign 1002064 procps 2:3.3.17-5
>
> On Tue, 2021-12-21 at 11:49 +0100, Daniel Feuchtinger wrote:
>> Debian 11 introduces a new feature, that prevents users from writing
>> to files that they don't own ignoring the file permissions
>> (see https://github.com/torvalds/linux/commit/30aba6656f ).
>>
>> 1. I think, that should not be the default behaviour but opt in.
>
> I disagree: it is a sensible change. If you want an insecure
> configuration, you should have to explicitly configure your system to
> be so.
If you say so... Try a users perspective:
>
> On Tue, 2021-12-21 at 11:49 +0100, Daniel Feuchtinger wrote:
>> Debian 11 introduces a new feature, that prevents users from writing
>> to files that they don't own ignoring the file permissions
>> (see https://github.com/torvalds/linux/commit/30aba6656f ).
>>
>> 1. I think, that should not be the default behaviour but opt in.
>
> I disagree: it is a sensible change. If you want an insecure
> configuration, you should have to explicitly configure your system to
> be so.
You try to write to a file and it does not work (funny: touch does work)
You check the file permissions
You check the extended attributes
You search for erros and logs
You check app armor
You check the debian release notes
You search for strange security features, breaking basic file system functionality
...
You'll find nothing (you'll find something,
if you know the result of your search).
File access rights are a not corner case feature of some
special programm with security holes, it's a basic file
system feature that is now "broken".
To introduce that without a visibile mention
is giving your users the finger in my opinion.
>
>> 2. If you fix it (write "fs.protected_regular=0" to /etc/sysctl.conf)
>> that fix should work.
>
> You need to write to /etc/sysctl.d/protect-links.conf to overwrite
> settings in /usr/lib/sysctl.d/protect-links.conf.
>
> See the "examples" section in man:systemd-sysctl(8).
file is not working as expected, would be user friendly.
Or: If you break it, why not remove it?
Anyway, you might as well close this bug, if there's no
chance of changing the default behaviour. I guess for
a visible mention in the release notes, it is already
too late.
Thanks for your work, I like debian, I just disagree with
your choices in this case.
Daniel
0 new messages