• Linus Torvalds's avatar
    VFS: don't do protected {sym,hard}links by default · 561ec64a
    Linus Torvalds authored
    In commit 800179c9 ("This adds symlink and hardlink restrictions to
    the Linux VFS"), the new link protections were enabled by default, in
    the hope that no actual application would care, despite it being
    technically against legacy UNIX (and documented POSIX) behavior.
    However, it does turn out to break some applications.  It's rare, and
    it's unfortunate, but it's unacceptable to break existing systems, so
    we'll have to default to legacy behavior.
    In particular, it has broken the way AFD distributes files, see
    along with some legacy scripts.
    Distributions can end up setting this at initrd time or in system
    scripts: if you have security problems due to link attacks during your
    early boot sequence, you have bigger problems than some kernel sysctl
    setting. Do:
    	echo 1 > /proc/sys/fs/protected_symlinks
    	echo 1 > /proc/sys/fs/protected_hardlinks
    to re-enable the link protections.
    Alternatively, we may at some point introduce a kernel config option
    that sets these kinds of "more secure but not traditional" behavioural
    options automatically.
    Reported-by: default avatarNick Bowler <nbowler@elliptictech.com>
    Reported-by: default avatarHolger Kiehl <Holger.Kiehl@dwd.de>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Ingo Molnar <mingo@elte.hu>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org # v3.6
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
namei.c 98.8 KB