diff options
author | Kees Cook <keescook@chromium.org> | 2011-11-30 14:20:13 -0800 |
---|---|---|
committer | Tim Gardner <tim.gardner@canonical.com> | 2012-03-19 11:29:56 -0600 |
commit | ad6edf1ec8ccf6673d931340cdfec237db38b640 (patch) | |
tree | fe670fd1947be2647e2949adf19c5413828387c4 /Documentation | |
parent | ecd35f1cca9c7d2ea459e67e78acc0438aa90cd1 (diff) |
UBUNTU: SAUCE: Yama: add link restrictions
Add symlink and hardlink restrictions that have shown real-world security
benefits, along with sysctl knobs to control them.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/security/Yama.txt | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt index dcb469591d1..d4318415989 100644 --- a/Documentation/security/Yama.txt +++ b/Documentation/security/Yama.txt @@ -5,10 +5,54 @@ any other LSM). Yama is controlled through sysctl in /proc/sys/kernel/yama: +- protected_sticky_symlinks +- protected_nonaccess_hardlinks - ptrace_scope ============================================================== +protected_sticky_symlinks: + +A long-standing class of security issues is the symlink-based +time-of-check-time-of-use race, most commonly seen in world-writable +directories like /tmp. The common method of exploitation of this flaw +is to cross privilege boundaries when following a given symlink (i.e. a +root process follows a symlink belonging to another user). For a likely +incomplete list of hundreds of examples across the years, please see: +http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp + +When set to "0", symlink following behavior is unrestricted. + +When set to "1" symlinks are permitted to be followed only when outside +a sticky world-writable directory, or when the uid of the symlink and +follower match, or when the directory owner matches the symlink's owner. + +This protection is based on the restrictions in Openwall and grsecurity. + +============================================================== + +protected_nonaccess_hardlinks: + +Hardlinks can be abused in a similar fashion to symlinks in sticky +world-writable directories, but their weakness is not limited to +just that scenario. For example, if /etc and /home are on the same +partition, a regular user can create a hardlink to /etc/shadow in their +home directory. While it retains the original owner and permissions, +it is possible for privileged programs that are otherwise symlink-safe +to mistakenly access the file through its hardlink. Additionally, a very +minor untraceable quota-bypassing local denial of service is possible by +an attacker exhausting disk space by filling a world-writable directory +with hardlinks. + +When set to "0", hardlink creation behavior is unrestricted. + +When set to "1", hardlinks cannot be created to files that a given user +would be unable to read and write originally, or are otherwise sensitive. + +This protection is based on the restrictions in Openwall and grsecurity. + +============================================================== + ptrace_scope: As Linux grows in popularity, it will become a larger target for |