Announcement

Collapse
No announcement yet.

Systemd 241 Paired With Linux 4.19+ To Enable New Regular File & FIFO Protection

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Systemd 241 Paired With Linux 4.19+ To Enable New Regular File & FIFO Protection

    Phoronix: Systemd 241 Paired With Linux 4.19+ To Enable New Regular File & FIFO Protection

    The Linux 4.19 kernel brought the ability to disallow the opening of FIFOs and regular files not owned by the user in world-writable sticky directories in the name of security. Had this ability been around previously it could have prevented a number of CVEs going back a long time. In helping ensure this functionality gets utilized, Systemd 241 will now set these sysctl options to enable the behavior by default...

    http://www.phoronix.com/scan.php?pag...nux-419-Sysctl

  • #2
    I never understood why should FIFOs (and local sockets, for that matter) be allowed anywhere in the main filesystem tree. By definition they are transient objects that cannot survive across reboots and shoud have no business living in a storage space designed for persistent objects. The only legitimate place for them IMHO is under /run

    Comment


    • #3
      Originally posted by jacob View Post
      I never understood why should FIFOs (and local sockets, for that matter) be allowed anywhere in the main filesystem tree. By definition they are transient objects that cannot survive across reboots and shoud have no business living in a storage space designed for persistent objects. The only legitimate place for them IMHO is under /run
      Doesn't Linux share the UNIX philosophy that "everything is a file"? Which would mean that everything belongs in some kind of filesystem tree?

      Comment


      • #4
        Originally posted by mzs.112000 View Post

        Doesn't Linux share the UNIX philosophy that "everything is a file"? Which would mean that everything belongs in some kind of filesystem tree?
        And this philosophy is so overused that it collapses soon enough when we need to read something from /sys or /proc.. Everyone is implementing parsing of same text files over and over to get data that should be binary to begin with.

        Comment


        • #5
          Originally posted by mzs.112000 View Post

          Doesn't Linux share the UNIX philosophy that "everything is a file"? Which would mean that everything belongs in some kind of filesystem tree?
          "Everything is a file" is one of the very few aspects of UNIX which are actually intelligent. But that doesn't mean that everything should be a *persistent* file. Many types of objects are inherently transient and creating persistent, reboot-resistant names on disk for such objects that may or may not actually exist when accessed is plain stupid. They should be visible as files, but in a special purpose, non persistent directory and only as long as they are actually usable (e.g. as long as some process is actually reading from the FIFO, or listens on a socket). And since we are at it, why on Earth are IP sockets not represented as files too?

          Comment


          • #6
            "Doesn't Linux share the UNIX philosophy that "everything is a file"? Which would mean that everything belongs in some kind of filesystem tree?"

            That used to be the unix philosphy until systemd come and destroyed it all.

            At this point I no longer value Linux over Microsoft Windows because that is basically what they made out of it with pulseaudio + systemd.

            Our only salvation is Slackware and the BSDs, make sure systemd, shim and their kind never even get a foothold in BSD land EVER!

            Comment


            • #7
              Originally posted by monraaf View Post
              Our only salvation is Slackware and the BSDs, make sure systemd, shim and their kind never even get a foothold in BSD land EVER!
              https://wiki.freebsd.org/launchd

              Comment


              • #8
                Originally posted by monraaf View Post
                Our only salvation is Slackware and the BSDs, make sure systemd, shim and their kind never even get a foothold in BSD land EVER!
                *Alpine Linux, Artix (Arch/OpenRC), Gentoo and any other distro using or offering OpenRC.

                Comment


                • #9
                  Originally posted by bitman View Post
                  And this philosophy is so overused that it collapses soon enough when we need to read something from /sys or /proc.. Everyone is implementing parsing of same text files over and over to get data that should be binary to begin with.
                  but... but... shell scripting!

                  /sarcasm

                  Comment


                  • #10
                    Actually, you dont need to be using 4.19, this change is backported to all still supported LTS versions.

                    Comment

                    Working...
                    X