diff options
author | Kees Cook <keescook@chromium.org> | 2011-11-30 14:20:13 -0800 |
---|---|---|
committer | John Rigby <john.rigby@linaro.org> | 2012-06-20 20:25:52 -0600 |
commit | c99cde029ae7953ae3d1e6af8638a7be9f8a83fe (patch) | |
tree | b94dda5139d65323cb700119b4060d9958c0e7cd /Documentation | |
parent | 11d86a0a1e71edbe0b8e940b78f0a589f653ecea (diff) |
UBUNTU: SAUCE: Yama: add link restrictions
Add symlink and hardlink restrictions that have shown real-world security
benefits, along with sysctl knobs to control them.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/security/Yama.txt | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt index a9511f17906..442fac4486f 100644 --- a/Documentation/security/Yama.txt +++ b/Documentation/security/Yama.txt @@ -5,10 +5,54 @@ any other LSM). Yama is controlled through sysctl in /proc/sys/kernel/yama: +- protected_sticky_symlinks +- protected_nonaccess_hardlinks - ptrace_scope ============================================================== +protected_sticky_symlinks: + +A long-standing class of security issues is the symlink-based +time-of-check-time-of-use race, most commonly seen in world-writable +directories like /tmp. The common method of exploitation of this flaw +is to cross privilege boundaries when following a given symlink (i.e. a +root process follows a symlink belonging to another user). For a likely +incomplete list of hundreds of examples across the years, please see: +http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp + +When set to "0", symlink following behavior is unrestricted. + +When set to "1" symlinks are permitted to be followed only when outside +a sticky world-writable directory, or when the uid of the symlink and +follower match, or when the directory owner matches the symlink's owner. + +This protection is based on the restrictions in Openwall and grsecurity. + +============================================================== + +protected_nonaccess_hardlinks: + +Hardlinks can be abused in a similar fashion to symlinks in sticky +world-writable directories, but their weakness is not limited to +just that scenario. For example, if /etc and /home are on the same +partition, a regular user can create a hardlink to /etc/shadow in their +home directory. While it retains the original owner and permissions, +it is possible for privileged programs that are otherwise symlink-safe +to mistakenly access the file through its hardlink. Additionally, a very +minor untraceable quota-bypassing local denial of service is possible by +an attacker exhausting disk space by filling a world-writable directory +with hardlinks. + +When set to "0", hardlink creation behavior is unrestricted. + +When set to "1", hardlinks cannot be created to files that a given user +would be unable to read and write originally, or are otherwise sensitive. + +This protection is based on the restrictions in Openwall and grsecurity. + +============================================================== + ptrace_scope: As Linux grows in popularity, it will become a larger target for |