Systemd 241 Paired With Linux 4.19+ To Enable New Regular File & FIFO Protection
The Linux 4.19 kernel brought the ability to disallow the opening of FIFOs and regular files not owned by the user in world-writable sticky directories in the name of security. Had this ability been around previously it could have prevented a number of CVEs going back a long time. In helping ensure this functionality gets utilized, Systemd 241 will now set these sysctl options to enable the behavior by default.
The restricted O_CREAT of FIFOs and regular files is not enforced by the kernel by default as it could be considered a breaking change but with systemd 241+ it sets the fs.protected_regular and fs.protected_fifos sysctls to enabled for having said functionality, similar to systemd's enforcing of hardlink/symlink protection. This protection is for avoiding unintentional writes to an attacker-controlled FIFO or regular file. That Linux 4.19 kernel commit notes at least a handful of security vulnerabilities that could have been prevented by this functionality with those CVEs going back to at least the year 2000.
Enabling these new sysctl options happened by this systemd commit on Wednesday. The change will be found in the systemd 241 release along with the "system down" fixes. Of course, you can always set those sysctl values manually (on Linux 4.19+) regardless of the systemd release if desiring this level of protection today.
The restricted O_CREAT of FIFOs and regular files is not enforced by the kernel by default as it could be considered a breaking change but with systemd 241+ it sets the fs.protected_regular and fs.protected_fifos sysctls to enabled for having said functionality, similar to systemd's enforcing of hardlink/symlink protection. This protection is for avoiding unintentional writes to an attacker-controlled FIFO or regular file. That Linux 4.19 kernel commit notes at least a handful of security vulnerabilities that could have been prevented by this functionality with those CVEs going back to at least the year 2000.
Enabling these new sysctl options happened by this systemd commit on Wednesday. The change will be found in the systemd 241 release along with the "system down" fixes. Of course, you can always set those sysctl values manually (on Linux 4.19+) regardless of the systemd release if desiring this level of protection today.
78 Comments