Announcement

Collapse
No announcement yet.

Linux 5.10 Adds "nosymfollow" Mount Option Security Defense

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux 5.10 Adds "nosymfollow" Mount Option Security Defense

    Phoronix: Linux 5.10 Adds "nosymfollow" Mount Option Security Defense

    FreeBSD has long supported a "nosymfollow" mount option to prevent following of symlinks on mounted file-systems while now the mainline Linux kernel is adding a similar security defense...

    http://www.phoronix.com/scan.php?pag...10-nosymfollow

  • #2
    So when is any distribution enabling this by default?
    And which distribution will be the first to enable this by default?

    Comment


    • #3
      I doubt any major distro will use it by default since so many are dependent on symlinks everywhere to work

      Comment


      • #4
        It only impacts file read by the kernel (in the kernel code).
        I don't think the kernel reads a lot of files on its own. It exposes files (/sys, /dev, /proc) but do not read them.
        Maybe insmod make the kernel read files.

        Comment


        • #5
          Originally posted by Congelli501 View Post
          It only impacts file read by the kernel (in the kernel code).
          I don't think the kernel reads a lot of files on its own. It exposes files (/sys, /dev, /proc) but do not read them.
          Maybe insmod make the kernel read files.
          It seems it's actually a protection against the kernel WRITING files. It does write some files occasionally, for example core files.

          Comment


          • #6
            RIP Symlinks - it seems the gnomeites don't like you now either so it's delete the feature time.

            Comment


            • #7
              Originally posted by jacob View Post
              It seems it's actually a protection against the kernel WRITING files. It does write some files occasionally, for example core files.
              it's against opening paths containing symlinks by any application. i.e. it will disable symlink support. "you can readlink" is as good as "you can write file name in .txt and read it from there". i.e. no normal distro will use it(chromeos isn't normal)

              Comment


              • #8
                Originally posted by pal666 View Post
                it's against opening paths containing symlinks by any application. i.e. it will disable symlink support. "you can readlink" is as good as "you can write file name in .txt and read it from there". i.e. no normal distro will use it(chromeos isn't normal)
                OK thanks for the clarification.
                BTW in what way is chromeos not "normal"?

                Comment


                • #9
                  Originally posted by jacob View Post
                  BTW in what way is chromeos not "normal"?
                  in strict control of partitioning. they will enable subj only on some special partition(s)

                  Comment

                  Working...
                  X