Message ID | 20180330221804.29241-3-rosenp@gmail.com |
---|---|
State | Changes Requested |
Delegated to: | John Crispin |
Headers | show |
Series | [LEDE-DEV,1/3] kernel: Restrict dmesg output to root. | expand |
On 31/03/18 00:18, Rosen Penev wrote: > There is no usecase for not protecting symlinks that I know of in OpenWrt. Not even on desktop systems where you have multiple users with a shell. > > Signed-off-by: Rosen Penev <rosenp@gmail.com> Hi, does not apply due to bee696d66c95337d91fc0256afbf481dc93ddb27 please fix/resend John > --- > package/base-files/files/etc/sysctl.conf | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf > index 61a43057a1..790fc02654 100644 > --- a/package/base-files/files/etc/sysctl.conf > +++ b/package/base-files/files/etc/sysctl.conf > @@ -5,6 +5,10 @@ fs.suid_dumpable=2 > #disable kernel pointer access from normal users > kernel.kptr_restrict=1 > > +#enable hard/symlink protection > +fs.protected_hardlinks=1 > +fs.protected_symlinks=1 > + > net.ipv4.conf.default.arp_ignore=1 > net.ipv4.conf.all.arp_ignore=1 > net.ipv4.ip_forward=1
diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf index 61a43057a1..790fc02654 100644 --- a/package/base-files/files/etc/sysctl.conf +++ b/package/base-files/files/etc/sysctl.conf @@ -5,6 +5,10 @@ fs.suid_dumpable=2 #disable kernel pointer access from normal users kernel.kptr_restrict=1 +#enable hard/symlink protection +fs.protected_hardlinks=1 +fs.protected_symlinks=1 + net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1 net.ipv4.ip_forward=1
There is no usecase for not protecting symlinks that I know of in OpenWrt. Not even on desktop systems where you have multiple users with a shell. Signed-off-by: Rosen Penev <rosenp@gmail.com> --- package/base-files/files/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)