diff options
Diffstat (limited to 'Documentation/sysctl')
-rw-r--r-- | Documentation/sysctl/fs.txt | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt index 13d6166d7a27..d4a372e75750 100644 --- a/Documentation/sysctl/fs.txt +++ b/Documentation/sysctl/fs.txt | |||
@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs: | |||
32 | - nr_open | 32 | - nr_open |
33 | - overflowuid | 33 | - overflowuid |
34 | - overflowgid | 34 | - overflowgid |
35 | - protected_hardlinks | ||
36 | - protected_symlinks | ||
35 | - suid_dumpable | 37 | - suid_dumpable |
36 | - super-max | 38 | - super-max |
37 | - super-nr | 39 | - super-nr |
@@ -157,6 +159,46 @@ The default is 65534. | |||
157 | 159 | ||
158 | ============================================================== | 160 | ============================================================== |
159 | 161 | ||
162 | protected_hardlinks: | ||
163 | |||
164 | A long-standing class of security issues is the hardlink-based | ||
165 | time-of-check-time-of-use race, most commonly seen in world-writable | ||
166 | directories like /tmp. The common method of exploitation of this flaw | ||
167 | is to cross privilege boundaries when following a given hardlink (i.e. a | ||
168 | root process follows a hardlink created by another user). Additionally, | ||
169 | on systems without separated partitions, this stops unauthorized users | ||
170 | from "pinning" vulnerable setuid/setgid files against being upgraded by | ||
171 | the administrator, or linking to special files. | ||
172 | |||
173 | When set to "0", hardlink creation behavior is unrestricted. | ||
174 | |||
175 | When set to "1" hardlinks cannot be created by users if they do not | ||
176 | already own the source file, or do not have read/write access to it. | ||
177 | |||
178 | This protection is based on the restrictions in Openwall and grsecurity. | ||
179 | |||
180 | ============================================================== | ||
181 | |||
182 | protected_symlinks: | ||
183 | |||
184 | A long-standing class of security issues is the symlink-based | ||
185 | time-of-check-time-of-use race, most commonly seen in world-writable | ||
186 | directories like /tmp. The common method of exploitation of this flaw | ||
187 | is to cross privilege boundaries when following a given symlink (i.e. a | ||
188 | root process follows a symlink belonging to another user). For a likely | ||
189 | incomplete list of hundreds of examples across the years, please see: | ||
190 | http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp | ||
191 | |||
192 | When set to "0", symlink following behavior is unrestricted. | ||
193 | |||
194 | When set to "1" symlinks are permitted to be followed only when outside | ||
195 | a sticky world-writable directory, or when the uid of the symlink and | ||
196 | follower match, or when the directory owner matches the symlink's owner. | ||
197 | |||
198 | This protection is based on the restrictions in Openwall and grsecurity. | ||
199 | |||
200 | ============================================================== | ||
201 | |||
160 | suid_dumpable: | 202 | suid_dumpable: |
161 | 203 | ||
162 | This value can be used to query and set the core dump mode for setuid | 204 | This value can be used to query and set the core dump mode for setuid |