
The restricted O_CREAT of FIFOs and regular files is not enforced by the kernel by default as it could be considered a breaking change but with systemd 241+ it sets the fs.protected_regular and fs.protected_fifos sysctls to enabled for having said functionality, similar to systemd's enforcing of hardlink/symlink protection. This protection is for avoiding unintentional writes to an attacker-controlled FIFO or regular file. That Linux 4.19 kernel commit notes at least a handful of security vulnerabilities that could have been prevented by this functionality with those CVEs going back to at least the year 2000.
Enabling these new sysctl options happened by this systemd commit on Wednesday. The change will be found in the systemd 241 release along with the "system down" fixes. Of course, you can always set those sysctl values manually (on Linux 4.19+) regardless of the systemd release if desiring this level of protection today.
78 Comments