| Message ID | 20200709235115.56954-1-jpitti@cisco.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | proc/sysctl: make protected_* world readable | expand |
On Thu, Jul 09, 2020 at 04:51:15PM -0700, Julius Hemanth Pitti wrote: > protected_* files have 600 permissions which prevents > non-superuser from reading them. > > Container like "AWS greengrass" refuse to launch unless > protected_hardlinks and protected_symlinks are set. When > containers like these run with "userns-remap" or "--user" > mapping container's root to non-superuser on host, they > fail to run due to denied read access to these files. > > As these protections are hardly a secret, and do not > possess any security risk, making them world readable. > > Though above greengrass usecase needs read access to > only protected_hardlinks and protected_symlinks files, > setting all other protected_* files to 644 to keep > consistency. > > Fixes: 800179c9b8a1 ("fs: add link restrictions") > Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> Acked-by: Kees Cook <keescook@chromium.org> I had originally proposed it as 0644, but Ingo asked that it have a more conservative default value[1]. I figured that given the settings can be discovered easily, it's not worth much. And if there are legit cases where things are improved, I don't have a problem switching this back. Ingo, any thoughts on this now, 8 years later in the age of containers? :) (One devil's advocate question: as a workaround, you are able to just change those files to 0644 after mounting /proc, yes? But regardless, why get in people's way for no justifiable reason.) -Kees [1] https://lore.kernel.org/lkml/20120105091704.GB3249@elte.hu/
On Thu, Jul 09, 2020 at 09:31:37PM -0700, Kees Cook wrote: > On Thu, Jul 09, 2020 at 04:51:15PM -0700, Julius Hemanth Pitti wrote: > > protected_* files have 600 permissions which prevents > > non-superuser from reading them. > > > > Container like "AWS greengrass" refuse to launch unless > > protected_hardlinks and protected_symlinks are set. When > > containers like these run with "userns-remap" or "--user" > > mapping container's root to non-superuser on host, they > > fail to run due to denied read access to these files. > > > > As these protections are hardly a secret, and do not > > possess any security risk, making them world readable. > > > > Though above greengrass usecase needs read access to > > only protected_hardlinks and protected_symlinks files, > > setting all other protected_* files to 644 to keep > > consistency. > > > > Fixes: 800179c9b8a1 ("fs: add link restrictions") > > Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> > > Acked-by: Kees Cook <keescook@chromium.org> > > I had originally proposed it as 0644, but Ingo asked that it have > a more conservative default value[1]. I figured that given the settings > can be discovered easily, it's not worth much. And if there are legit > cases where things are improved, I don't have a problem switching this > back. If we're going to to do this, can we please document why these are "protected" then? Luis > > Ingo, any thoughts on this now, 8 years later in the age of containers? > :) > > (One devil's advocate question: as a workaround, you are able to just > change those files to 0644 after mounting /proc, yes? But regardless, > why get in people's way for no justifiable reason.) > > -Kees > > [1] https://lore.kernel.org/lkml/20120105091704.GB3249@elte.hu/ > > -- > Kees Cook
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index db1ce7a..aeca2fd 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -3223,7 +3223,7 @@ int proc_do_static_key(struct ctl_table *table, int write, .procname = "protected_symlinks", .data = &sysctl_protected_symlinks, .maxlen = sizeof(int), - .mode = 0600, + .mode = 0644, .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONE, @@ -3232,7 +3232,7 @@ int proc_do_static_key(struct ctl_table *table, int write, .procname = "protected_hardlinks", .data = &sysctl_protected_hardlinks, .maxlen = sizeof(int), - .mode = 0600, + .mode = 0644, .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONE, @@ -3241,7 +3241,7 @@ int proc_do_static_key(struct ctl_table *table, int write, .procname = "protected_fifos", .data = &sysctl_protected_fifos, .maxlen = sizeof(int), - .mode = 0600, + .mode = 0644, .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, .extra2 = &two, @@ -3250,7 +3250,7 @@ int proc_do_static_key(struct ctl_table *table, int write, .procname = "protected_regular", .data = &sysctl_protected_regular, .maxlen = sizeof(int), - .mode = 0600, + .mode = 0644, .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, .extra2 = &two,
protected_* files have 600 permissions which prevents non-superuser from reading them. Container like "AWS greengrass" refuse to launch unless protected_hardlinks and protected_symlinks are set. When containers like these run with "userns-remap" or "--user" mapping container's root to non-superuser on host, they fail to run due to denied read access to these files. As these protections are hardly a secret, and do not possess any security risk, making them world readable. Though above greengrass usecase needs read access to only protected_hardlinks and protected_symlinks files, setting all other protected_* files to 644 to keep consistency. Fixes: 800179c9b8a1 ("fs: add link restrictions") Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> --- kernel/sysctl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)