From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id WDW+LD+ORmB+HQAA0tVLHw (envelope-from ) for ; Mon, 08 Mar 2021 20:51:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YCWTKD+ORmCHFQAAB5/wlQ (envelope-from ) for ; Mon, 08 Mar 2021 20:51:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ADF3126373 for ; Mon, 8 Mar 2021 21:51:09 +0100 (CET) Received: from localhost ([::1]:44146 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lJMqK-0003Ul-NQ for larch@yhetil.org; Mon, 08 Mar 2021 15:51:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40020) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJMqE-0003Tu-9w for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:33459) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lJMqE-0000dy-30 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lJMqE-0002eF-2F for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 08 Mar 2021 20:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47013@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161523663910147 (code B ref -1); Mon, 08 Mar 2021 20:51:01 +0000 Received: (at submit) by debbugs.gnu.org; 8 Mar 2021 20:50:39 +0000 Received: from localhost ([127.0.0.1]:45005 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJMpm-0002dX-0T for submit@debbugs.gnu.org; Mon, 08 Mar 2021 15:50:39 -0500 Received: from lists.gnu.org ([209.51.188.17]:45320) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJMpg-0002dJ-VY for submit@debbugs.gnu.org; Mon, 08 Mar 2021 15:50:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39850) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJMpc-0003E8-01 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:50:28 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:35627) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJMpO-0000JA-Tt for guix-patches@gnu.org; Mon, 08 Mar 2021 15:50:18 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 512A75C0121; Mon, 8 Mar 2021 15:50:09 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 08 Mar 2021 15:50:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=mesmtp; bh=8zTuNoG+rWAaQqBD8BqnrRA OAEkP7y1Fcx3Lc0Z3Pvs=; b=x1eWo/m0w3VqKaN/hJ+hGkRtgpWXK8KYqLjV/RO 8cY8rCjlhg5XccHkAnwUyZewfcxu6zauebWq5/lqCzD3VA0fW7m5xXoNtVOKAyl4 da76o1pMmr1hfb020Sv5TzLDJgBBBZ+B1svH1hFLl3eTXwhRbI6g5mpwSNUm5Epx qj6A= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8zTuNo G+rWAaQqBD8BqnrRAOAEkP7y1Fcx3Lc0Z3Pvs=; b=mM7hMnDai6okzBsiTTLtzG DKvXlmhJGrE4wm7DgIUwKDq4ajvixnD4xvlYKBnWHRGbqV/L6yugqzPxXZ1+F4C2 s7Ww7JgOmBHlzWx16CJXfxbf9eZoHkv9raiuvv4n1lpoBWbOV5U7TFLWnffo8NZM jIcdmr37K9spefB2D7vSIPoJY6cqlXlTVKDTBkBNKLg6cOt9i4kj8sM1zmoQBS8c TCXA/o9FlPWisZxyoOUxQPZ6KouMl8HdXR5cj/aPPoc/6EXVcUgudM8YZZr+cSYI vD2GEL2aRnLCfPMg29EOJEruSn9oJaU82mNAfZYFReQ1KqANpfwmxXuEKPClrvfQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddugedgjeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofggtgfgsehtkeertd ertdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedtfedvlefftefhtdeffeegkeevjeettd fgheehgfevffehhfeivdehueeujeeifeenucffohhmrghinhepshihshgtthhlqdgvgihp lhhorhgvrhdrnhgvthenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsth gvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgr rhhirdhnrghmvg X-ME-Proxy: Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 2FF4B108005F for ; Mon, 8 Mar 2021 15:50:09 -0500 (EST) From: Leo Famulari Date: Mon, 8 Mar 2021 15:50:03 -0500 Message-Id: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> X-Mailer: git-send-email 2.30.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615236671; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=8zTuNoG+rWAaQqBD8BqnrRAOAEkP7y1Fcx3Lc0Z3Pvs=; b=Qk7PfI5CaXfAfvtzRq6dzNbPUylPcUPxkSNBKX2snjOr3hyrh6a6lF7ZPL+OIzcI0LVinx 98vZIRFI/hha/n5q9cM4OuOT4KQGyGetu4VkB0DxCqVYWDKS6S9Z5m1/YrO7Qv/aOlb9RO JMXh7N7EpOoTDkJd+VAkWBXEctoB8AN9MWoXaSgQGVXWiGhcMxvXilFiaLK9q6Wjb6HhY4 Usvn3i+sC37Am53RxLqNu5tAknwV6hK9VfmNouZ9LeA6tmyUxurq7b40Y2j84EIaNKkTDQ mq6d6LRS2YOUAcaxHWRegMUK2HLSyDWMFvNzIA13N6NNAq69cXvQW2Q8argZTA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615236671; a=rsa-sha256; cv=none; b=J/FZyOd4vuGL5pZua2Xy8C8JatTskR/YotbBqzL6uBU1jhdp7SgfAtOjp36kcTOtGvMD3h M0vray4TGepG0bClJzGUPCDmCF+PBPT641aumlkOGgsVPeCcuRDC16XlXjg2wCGg1ZK02t df4cEmHsNXuJkY4yzPE+hb7h44O2eXFYb7o5KJ68+2FgF+mf12hRxRn+oLrCuP0oKDjOBL QjwTLxcllZuibBl8es9/5NiTFyqCYo4WLkFxqxcteTRZKkjSdCV/7wd13mqLDa/+WauNr7 A0IL7lBDRXDVHzdxygkSKCOi6nhJhkD+WMFv4qMVbi7Oo7Yp2b/mFPbX45sICQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="x1eWo/m0"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=mM7hMnDa; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -0.38 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="x1eWo/m0"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=mM7hMnDa; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: ADF3126373 X-Spam-Score: -0.38 X-Migadu-Scanner: scn0.migadu.com X-TUID: bO5zWTxU6wTb These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this patch on Guix System for several weeks, and it doesn't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (%base-services): Add a default sysctl-configuration that enables fs.protected_hardlinks and fs.protected_symlinks. --- gnu/services/base.scm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..edd2c8e355 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015, 2016 Alex Kost ;;; Copyright © 2015, 2016, 2020 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu -;;; Copyright © 2016, 2017 Leo Famulari +;;; Copyright © 2016, 2017, 2021 Leo Famulari ;;; Copyright © 2016 David Craven ;;; Copyright © 2016 Ricardo Wurmus ;;; Copyright © 2018 Mathieu Othacehe @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,12 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (service sysctl-service-type + (sysctl-configuration + (settings + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) -- 2.30.1