aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/sysctl
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-08-01 13:26:23 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-08-01 13:26:23 -0400
commita0e881b7c189fa2bd76c024dbff91e79511c971d (patch)
tree0c801918565b08921d21aceee5b326f64d998f5f /Documentation/sysctl
parenteff0d13f3823f35d70228cd151d2a2c89288ff32 (diff)
parentdbc6e0222d79e78925fe20733844a796a4b72cf9 (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull second vfs pile from Al Viro: "The stuff in there: fsfreeze deadlock fixes by Jan (essentially, the deadlock reproduced by xfstests 068), symlink and hardlink restriction patches, plus assorted cleanups and fixes. Note that another fsfreeze deadlock (emergency thaw one) is *not* dealt with - the series by Fernando conflicts a lot with Jan's, breaks userland ABI (FIFREEZE semantics gets changed) and trades the deadlock for massive vfsmount leak; this is going to be handled next cycle. There probably will be another pull request, but that stuff won't be in it." Fix up trivial conflicts due to unrelated changes next to each other in drivers/{staging/gdm72xx/usb_boot.c, usb/gadget/storage_common.c} * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (54 commits) delousing target_core_file a bit Documentation: Correct s_umount state for freeze_fs/unfreeze_fs fs: Remove old freezing mechanism ext2: Implement freezing btrfs: Convert to new freezing mechanism nilfs2: Convert to new freezing mechanism ntfs: Convert to new freezing mechanism fuse: Convert to new freezing mechanism gfs2: Convert to new freezing mechanism ocfs2: Convert to new freezing mechanism xfs: Convert to new freezing code ext4: Convert to new freezing mechanism fs: Protect write paths by sb_start_write - sb_end_write fs: Skip atime update on frozen filesystem fs: Add freezing handling to mnt_want_write() / mnt_drop_write() fs: Improve filesystem freezing handling switch the protection of percpu_counter list to spinlock nfsd: Push mnt_want_write() outside of i_mutex btrfs: Push mnt_want_write() outside of i_mutex fat: Push mnt_want_write() outside of i_mutex ...
Diffstat (limited to 'Documentation/sysctl')
-rw-r--r--Documentation/sysctl/fs.txt42
1 files changed, 42 insertions, 0 deletions
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
index 8c235b6e4246..88152f214f48 100644
--- a/Documentation/sysctl/fs.txt
+++ b/Documentation/sysctl/fs.txt
@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs:
32- nr_open 32- nr_open
33- overflowuid 33- overflowuid
34- overflowgid 34- overflowgid
35- protected_hardlinks
36- protected_symlinks
35- suid_dumpable 37- suid_dumpable
36- super-max 38- super-max
37- super-nr 39- super-nr
@@ -157,6 +159,46 @@ The default is 65534.
157 159
158============================================================== 160==============================================================
159 161
162protected_hardlinks:
163
164A long-standing class of security issues is the hardlink-based
165time-of-check-time-of-use race, most commonly seen in world-writable
166directories like /tmp. The common method of exploitation of this flaw
167is to cross privilege boundaries when following a given hardlink (i.e. a
168root process follows a hardlink created by another user). Additionally,
169on systems without separated partitions, this stops unauthorized users
170from "pinning" vulnerable setuid/setgid files against being upgraded by
171the administrator, or linking to special files.
172
173When set to "0", hardlink creation behavior is unrestricted.
174
175When set to "1" hardlinks cannot be created by users if they do not
176already own the source file, or do not have read/write access to it.
177
178This protection is based on the restrictions in Openwall and grsecurity.
179
180==============================================================
181
182protected_symlinks:
183
184A long-standing class of security issues is the symlink-based
185time-of-check-time-of-use race, most commonly seen in world-writable
186directories like /tmp. The common method of exploitation of this flaw
187is to cross privilege boundaries when following a given symlink (i.e. a
188root process follows a symlink belonging to another user). For a likely
189incomplete list of hundreds of examples across the years, please see:
190http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
191
192When set to "0", symlink following behavior is unrestricted.
193
194When set to "1" symlinks are permitted to be followed only when outside
195a sticky world-writable directory, or when the uid of the symlink and
196follower match, or when the directory owner matches the symlink's owner.
197
198This protection is based on the restrictions in Openwall and grsecurity.
199
200==============================================================
201
160suid_dumpable: 202suid_dumpable:
161 203
162This value can be used to query and set the core dump mode for setuid 204This value can be used to query and set the core dump mode for setuid