How Debian's procps package is surprisingly opinionated
The Linux kernel has a number of fs.* sysctls to restrict the
ability to do various traditionally allowed things that have proven
to (sometimes) be exploitable to create security vulnerabilities,
as covered in sysctl/fs.txt. The kernel
has had fs.protected_hardlinks and fs.protected_symlinks
for some time, and Linux 4.19 added fs.protected_fifos and
fs.protected_regular (see the details in the commit, and some
vendors back-ported these new sysctls to their older kernels). In
early February of 2018, the
procps package of what became Debian
'Buster' decided to turn some of these on. It did it by creating a
sysctl.d file called 'protect-links.conf'. In Debian Buster this
was in /etc/sysctl.d, in Debian Bullseye it was moved to /usr/lib/sysctl.d
with the same file name, and relatively recently
this file was renamed to '99-protect-links.conf'.
Now let's digress to talk about the standard approach to naming files in /etc/sysctl.d and places like it. Files in these places are processed in lexicographical ('alphabetical') order, with later-ordered files potentially overriding earlier files. To make ordering predictable while preserving people's ability to name things freely, there is a convention of a two digit prefix on the name, like '10-ipv6-privacy.conf'. There's a further convention that such files provided by a package (such as procps) will have a low number prefix so that system administrators can easily override them with a high number prefix, eg '70-local-reverse-thing.conf'. We saw this before in Ubuntu's assorted procps /etc/sysctl.d additions.
A sysctl.d name that starts with '99-' is strongly opinionated, and its opinion is that you don't get to override it unless you go rather out of your way (and out of the norms of naming sysctl.d files). A name with no prefix that starts with a letter is similarly opinionated because all 'NN-<what>.conf' files will be ordered before it, making it equally hard to override it. You pretty much get to name your overriding config file something like 'zz-fix-debian.conf'.
In theory, one way to fix this is with dpkg-divert, by diverting the bad name to a good one ('10-protect-links.conf'). You could also use dpkg-statoverride to make the file mode 000, but that might cause various programs to complain. But locally we've just used a 'zz-<what>.conf' sysctl.d file name, since we already have to have a file to fix it.
(In Ubuntu, this only appeared in Ubuntu 20.04. It looks like Ubuntu 22.04 will likely just rename the file to '99-protect-links.conf'. For extra fun times, in 20.04, Ubuntu sets fs.protected_symlinks twice, once in /etc/sysctl.d/10-link-restrictions.conf and once in /usr/lib/sysctl.d/protect-links.conf. At least they took the former out of 22.04.)
PS: Yes, it's possible to come up with somewhat innocent explanations for this, based on an initial naming mistake and then backward compatibility with it to not 'weaken security'. I think that carrying on with this is still a mistake; it puts Debian at odds with sysadmins running Debian.
(This elaborates on a tweet.)
Comments on this page:Written on 11 April 2022.