From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eIADLA7mS2BTAgAA0tVLHw (envelope-from ) for ; Fri, 12 Mar 2021 22:07:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6anhJw7mS2CaKgAAB5/wlQ (envelope-from ) for ; Fri, 12 Mar 2021 22:07:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 288CC25426 for ; Fri, 12 Mar 2021 23:07:10 +0100 (CET) Received: from localhost ([::1]:49584 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKpw4-000292-V7 for larch@yhetil.org; Fri, 12 Mar 2021 17:07:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47510) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKpvy-00028U-C3 for guix-patches@gnu.org; Fri, 12 Mar 2021 17:07:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:47050) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lKpvy-0003OL-4g for guix-patches@gnu.org; Fri, 12 Mar 2021 17:07:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lKpvx-0006BL-VB for guix-patches@gnu.org; Fri, 12 Mar 2021 17:07:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. References: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> In-Reply-To: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 12 Mar 2021 22:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.161558676323694 (code B ref 47013); Fri, 12 Mar 2021 22:07:01 +0000 Received: (at 47013) by debbugs.gnu.org; 12 Mar 2021 22:06:03 +0000 Received: from localhost ([127.0.0.1]:58596 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lKpv1-0006A6-FW for submit@debbugs.gnu.org; Fri, 12 Mar 2021 17:06:03 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:45961) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lKpuy-00069Z-3u for 47013@debbugs.gnu.org; Fri, 12 Mar 2021 17:06:02 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 315E95C0150; Fri, 12 Mar 2021 17:05:54 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Fri, 12 Mar 2021 17:05:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=SN6XEELSEAFHL3hUKWwJcj/Jm6bgl++B5Rabb0trLmw=; b=J9WfB ycYNZbXfEU/kgfCOe1S/QKLYeIXiEis1A3If/ZU7DKMKEGWWCTNunpozyigXFZPH 8l2XXB2IkgRtrbzNGA1/4/OIUutc8gARGZQsrmmW1C1+/NSvTx2G//bTY9w+VNFC CuwV6ylmMJ3w5wyAVTiBsd/Yic/jSvBddPPKkA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=SN6XEELSEAFHL3hUKWwJcj/Jm6bgl ++B5Rabb0trLmw=; b=iS1Cv9zZvLvi8ovY99igHspbnP2DcN7Xunp3o5ad4mUZE erUsB1uCep5EOzQbddTgtDAcS00eKuo1b1R4Hb8luyfTcS8EaGbhnZLM5BbXT4aa kbb07j1YR2homUtiCv5KI7oCyzee7s8vU9UJsRBw6OVMscwGVK3N++kGT7C8Y3c6 iLURUOkswbfOLrgq8PcdbSpPSkhmxd9kTgv2Xu8M6IeZibEFS2AVIFHIZ+R0xAPU ApixfkqDH7K/nKal2O2R6ePyOFO+F8TIqMUT7ITLeZgVIuFG8+ZfYj7XzYtXTDGW 9AW1Ztv+7imZs7VM7PBbhgRShzQJ8xpdw2htfAmNw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvvddgudehiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderre dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeejieeutdffleegudehgefhhfduueeule evveeggeehveffkeeihfevvdfhkeefvdenucfkphepuddttddruddurdduieelrdduudek necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh esfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 6C0D71080054 for <47013@debbugs.gnu.org>; Fri, 12 Mar 2021 17:05:53 -0500 (EST) Date: Fri, 12 Mar 2021 17:05:51 -0500 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ns+rMm4IovX+LFhI" Content-Disposition: inline X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615586830; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=SN6XEELSEAFHL3hUKWwJcj/Jm6bgl++B5Rabb0trLmw=; b=RFNUOUWsn/yUTKQSEwaYJ7aj97pGF4cVD6ivHGSKdGgH6kesQo2d5Jb87kz1Djnd5Uo1MQ 6GlHsizRak6uT1eRNEj3uJe4IQGl3eXK3hNhXM1jaROfHHum4+3DYtSxyvbYu224LLfvnj MfE4rou/gnNd5McC57Bs/Lc/b22IirvmACzspnAMnru/DlAoQoWXOlRGMAn3JOzfWMs1DG RzYHoRrYFVSq2Wy2+3sW40uyWUrpuE/xfyk7K95zu0XdYA4vUrqg8TrF74zy4sAs/n09vo ZQjuewCundZT9fk4oKU4J/on/R2hasaQveYESEKL133wNNk3dXDfUvp72l/f5A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615586830; a=rsa-sha256; cv=none; b=BKh96jKvsAocHsP1ioNVGILbJWYFefLj3omPV6aE1Xz9AtqU4PpxV3FxfGmi6Efq+UOlrT YDfAyHU+5CzHWcGB4bKUAQt+ux2snW4q72iJu0q/cYFvw8ggMHR+PtfeORuQD+7/Cg4KS9 KWaxUBoC6vquQtBN5G5OmXoQzpJmKM/lx8eoZmhXRzzxfuIbATRX/uqIorTRvTsLsyTINd EDY5V1g0FnXbRs/jg5t78e1VFWYw7SmuXhuLxvt+qU+g7Gb5WEYrAdP2LSNRA5Riy4YWO0 0ZoJ9euVgdQAUb569J+H2tk2v9ZEHVpPP3W3x/pobgWOt8X/lGTGCfmbir+KeA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="J9WfB yc"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=iS1Cv9zZ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -3.49 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="J9WfB yc"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=iS1Cv9zZ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 288CC25426 X-Spam-Score: -3.49 X-Migadu-Scanner: scn0.migadu.com X-TUID: Aih/smGOMinf --ns+rMm4IovX+LFhI Content-Type: multipart/mixed; boundary="o5B3VqBXCWR5NQjo" Content-Disposition: inline --o5B3VqBXCWR5NQjo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Here is an updated patch that can be composed with other sysctl-service-types that the user may have added to config.scm. --o5B3VqBXCWR5NQjo Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-system-Harden-filesystem-links.patch" Content-Transfer-Encoding: quoted-printable =46rom 1e3bd831899a4ec9dfa7199a381421adbfe0dcf7 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Fri, 12 Mar 2021 17:03:26 -0500 Subject: [PATCH] system: Harden filesystem links. These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this patch on Guix System for several weeks, and it doesn't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (default-sysctl-settings): New variable. (%base-services): Add default-sysctl-settings. --- gnu/services/base.scm | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..64aac36401 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2484,6 +2485,11 @@ to handle." (requirement requirement) (name-servers name-servers))))) =20 +(define (default-sysctl-settings default-settings) + (simple-service 'base-sysctl-settings + sysctl-service-type + default-settings)) + =0C (define %base-services ;; Convenience variable holding the basic services. @@ -2532,6 +2538,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) =20 + (default-sysctl-settings + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) --=20 2.30.2 --o5B3VqBXCWR5NQjo-- --ns+rMm4IovX+LFhI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBL5bgACgkQJkb6MLrK fwjZwhAA8dZuCUj25k2K8ou2qMrviaayhf1lqAM+M7jW9WGVxMy2p9+5TkWGJsT4 tUZhaiEZewgzKKkZ+GZS25yZxu6JZnnVrj6qaP/O82aOL+B566CxWBAyqMShxMQ2 H7STEtf9OOwrnIlVBnO2ayCieWWYqsqpcq9N2bzHnHnDVn13W8KyKBRvTz2KEETj o4OzQcXiOVYpYgAfTb0f6e/H2cDUsVzAUgdUF2wLaKw1Kg1Nn3Pgo0aZbcKH1uZt vKAnpS95MQeXNinaqcpUS8YYRha0zgGMJi6SsmvJyaJFkA5vwJHJF8wpSb6vMwGs RvYdGQVSkfmB1e0F7OJahECbPLq5WCiXyjVAy48PlFO82GBz3L9fb6bWpferMB4j 2jDTNUSX2gK8F2RWXoQfORDsa5HIS0srqesek8EmxUNLPS/UCT/r22QwBgNcmqCc ItuFN8oLXIpMqWF+zQlMPhl+PH3L2N2nS0pUedmMETauWiRSQpcqsz0dpfAGnBxK XWpSnY0AwTdHL3GtP0adR1WcbsBKpIfVYO3rRyn58ce4XqwlQWBtGsfetgYgLovZ ajhFgT6x/76yawssZbLkVbMYyVCId2s5IOQFBprHlcCNjMb1FJFe0GprymsDBfbK gl5YTL4uGcOaKneeJGinK4F6OwL49rhdh6y4HeSaTtDYdbiGTMA= =Qvab -----END PGP SIGNATURE----- --ns+rMm4IovX+LFhI--