Announcement

Collapse
No announcement yet.

Systemd 241 Paired With Linux 4.19+ To Enable New Regular File & FIFO Protection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Systemd 241 Paired With Linux 4.19+ To Enable New Regular File & FIFO Protection

    Phoronix: Systemd 241 Paired With Linux 4.19+ To Enable New Regular File & FIFO Protection

    The Linux 4.19 kernel brought the ability to disallow the opening of FIFOs and regular files not owned by the user in world-writable sticky directories in the name of security. Had this ability been around previously it could have prevented a number of CVEs going back a long time. In helping ensure this functionality gets utilized, Systemd 241 will now set these sysctl options to enable the behavior by default...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    I never understood why should FIFOs (and local sockets, for that matter) be allowed anywhere in the main filesystem tree. By definition they are transient objects that cannot survive across reboots and shoud have no business living in a storage space designed for persistent objects. The only legitimate place for them IMHO is under /run

    Comment


    • #3
      Originally posted by jacob View Post
      I never understood why should FIFOs (and local sockets, for that matter) be allowed anywhere in the main filesystem tree. By definition they are transient objects that cannot survive across reboots and shoud have no business living in a storage space designed for persistent objects. The only legitimate place for them IMHO is under /run
      Doesn't Linux share the UNIX philosophy that "everything is a file"? Which would mean that everything belongs in some kind of filesystem tree?

      Comment


      • #4
        Originally posted by mzs.112000 View Post

        Doesn't Linux share the UNIX philosophy that "everything is a file"? Which would mean that everything belongs in some kind of filesystem tree?
        And this philosophy is so overused that it collapses soon enough when we need to read something from /sys or /proc.. Everyone is implementing parsing of same text files over and over to get data that should be binary to begin with.

        Comment


        • #5
          Originally posted by mzs.112000 View Post

          Doesn't Linux share the UNIX philosophy that "everything is a file"? Which would mean that everything belongs in some kind of filesystem tree?
          "Everything is a file" is one of the very few aspects of UNIX which are actually intelligent. But that doesn't mean that everything should be a *persistent* file. Many types of objects are inherently transient and creating persistent, reboot-resistant names on disk for such objects that may or may not actually exist when accessed is plain stupid. They should be visible as files, but in a special purpose, non persistent directory and only as long as they are actually usable (e.g. as long as some process is actually reading from the FIFO, or listens on a socket). And since we are at it, why on Earth are IP sockets not represented as files too?

          Comment


          • #6
            Originally posted by monraaf
            Our only salvation is Slackware and the BSDs, make sure systemd, shim and their kind never even get a foothold in BSD land EVER!

            Comment


            • #7
              Originally posted by monraaf
              Our only salvation is Slackware and the BSDs, make sure systemd, shim and their kind never even get a foothold in BSD land EVER!
              *Alpine Linux, Artix (Arch/OpenRC), Gentoo and any other distro using or offering OpenRC.

              Comment


              • #8
                Originally posted by bitman View Post
                And this philosophy is so overused that it collapses soon enough when we need to read something from /sys or /proc.. Everyone is implementing parsing of same text files over and over to get data that should be binary to begin with.
                but... but... shell scripting!

                /sarcasm

                Comment


                • #9
                  Actually, you dont need to be using 4.19, this change is backported to all still supported LTS versions.

                  Comment


                  • #10
                    SDDM still isn't starting for me under HyperV with systemd 240 or the latest git

                    Comment

                    Working...
                    X