This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via b7b65e736e42be7e7988c4c3efe67ca0f2a05057 (commit) from 22a6277fc93605d070f042c84f46580bf02af62a (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit b7b65e736e42be7e7988c4c3efe67ca0f2a05057 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Oct 5 14:12:18 2020 +0000
sysctl.conf: prevent unintentional writes into attacker-controlled files and FIFOs
Similar to hard- and symlink protection introduced a while ago, this patch enables protections against unintentional writes into attacker-controlled regular files or FIFOs, where a program expected to create new ones. This makes exploiting TOCTOU flaws harder.
See also: https://www.kernel.org/doc/Documentation/sysctl/fs.txt
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/etc/sysctl.conf | 5 +++++ 1 file changed, 5 insertions(+)
Difference in files: diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d48c7734e..be7c07c85 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -49,6 +49,11 @@ kernel.dmesg_restrict = 1 fs.protected_symlinks = 1 fs.protected_hardlinks = 1
+# Don't allow writes to files and FIFOs that we don't own in world writable sticky +# directories, unless they are owned by the owner of the directory. +fs.protected_fifos = 2 +fs.protected_regular = 2 + # Minimal preemption granularity for CPU-bound tasks: # (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds) kernel.sched_min_granularity_ns = 10000000
hooks/post-receive -- IPFire 2.x development tree