Am 21.12.21 um 12:10 schrieb Ansgar:
> reassign 1002064 procps 2:3.3.17-5
>
> On Tue, 2021-12-21 at 11:49 +0100, Daniel Feuchtinger wrote:
>> Debian 11 introduces a new feature, that prevents users from writing
>> to files that they don't own ignoring the file permissions
>> (see
https://github.com/torvalds/linux/commit/30aba6656f ).
>>
>> 1. I think, that should not be the default behaviour but opt in.
>
> I disagree: it is a sensible change. If you want an insecure
> configuration, you should have to explicitly configure your system to
> be so.
If you say so... Try a users perspective:
You try to write to a file and it does not work (funny: touch does work)
You check the file permissions
You check the extended attributes
You search for erros and logs
You check app armor
You check the debian release notes
You search for strange security features, breaking basic file system functionality
...
You'll find nothing (you'll find something,
if you know the result of your search).
File access rights are a not corner case feature of some
special programm with security holes, it's a basic file
system feature that is now "broken".
To introduce that without a visibile mention
is giving your users the finger in my opinion.
>
>> 2. If you fix it (write "fs.protected_regular=0" to /etc/sysctl.conf)
>> that fix should work.
>
> You need to write to /etc/sysctl.d/protect-links.conf to overwrite
> settings in /usr/lib/sysctl.d/protect-links.conf.
Thanks for the solution.
>
> See the "examples" section in man:systemd-sysctl(8).
I still think, that a hint in /etc/sysctl.conf, that this
file is not working as expected, would be user friendly.
Or: If you break it, why not remove it?
Anyway, you might as well close this bug, if there's no
chance of changing the default behaviour. I guess for
a visible mention in the release notes, it is already
too late.
Thanks for your work, I like debian, I just disagree with
your choices in this case.
Daniel