On Fri, 2012-09-07 at 08:56 +0800, jida...@jidanni.org wrote: > # su - nobody > No directory, logging in with HOME=/ > nobody@jidanni2:/$ date > /tmp/cc > nobody@jidanni2:/$ ln -s /tmp/cc /tmp/dd > nobody@jidanni2:/$ ls -l /tmp/cc /tmp/dd > -rw-r--r-- 1 nobody nogroup 29 Sep 7 08:37 /tmp/cc > lrwxrwxrwx 1 nobody nogroup 7 Sep 7 08:37 /tmp/dd -> /tmp/cc > nobody@jidanni2:/$ su - > # cat /tmp/cc /tmp/dd > Fri Sep 7 08:37:38 CST 2012 > cat: /tmp/dd: Permission denied > # tail /var/log/syslog > Sep 7 08:36:46 jidanni2 kernel: [19394.443080] type=1400 > audit(1346978206.292:11): op=follow_link action=denied pid=19327 comm="cat" > path="/tmp/bb" dev="tmpfs" ino=275448 > # uname -a > Linux jidanni2 3.2.0-3-486 #1 Mon Jul 23 02:47:49 UTC 2012 i686 GNU/Linux
linux-2.6 (3.2.9-1) unstable; urgency=high
[...]
* fs: Introduce and enable security restrictions on links:
- Do not follow symlinks in /tmp that are owned by other users
(sysctl: fs.protected_symlinks)
- Do not allow unprivileged users to create hard links to sensitive files
(sysctl: fs.protected_hardlinks) (Closes: #609455)
+ This breaks the 'at' package in stable, which will be fixed shortly
(see #597130)
The precise restrictions are specified in Documentation/sysctl/fs.txt in
the linux-doc-3.2 and linux-source-3.2 packages.
--
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
- Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
signature.asc
Description: This is a digitally signed message part
