How Debian's procps package is surprisingly opinionated

April 11, 2022

The Linux kernel has a number of fs.* sysctls to restrict the ability to do various traditionally allowed things that have proven to (sometimes) be exploitable to create security vulnerabilities, as covered in sysctl/fs.txt. The kernel has had fs.protected_hardlinks and fs.protected_symlinks for some time, and Linux 4.19 added fs.protected_fifos and fs.protected_regular (see the details in the commit, and some vendors back-ported these new sysctls to their older kernels). In early February of 2018, the procps package of what became Debian 'Buster' decided to turn some of these on. It did it by creating a sysctl.d file called 'protect-links.conf'. In Debian Buster this was in /etc/sysctl.d, in Debian Bullseye it was moved to /usr/lib/sysctl.d with the same file name, and relatively recently this file was renamed to '99-protect-links.conf'.

Now let's digress to talk about the standard approach to naming files in /etc/sysctl.d and places like it. Files in these places are processed in lexicographical ('alphabetical') order, with later-ordered files potentially overriding earlier files. To make ordering predictable while preserving people's ability to name things freely, there is a convention of a two digit prefix on the name, like '10-ipv6-privacy.conf'. There's a further convention that such files provided by a package (such as procps) will have a low number prefix so that system administrators can easily override them with a high number prefix, eg '70-local-reverse-thing.conf'. We saw this before in Ubuntu's assorted procps /etc/sysctl.d additions.

A sysctl.d name that starts with '99-' is strongly opinionated, and its opinion is that you don't get to override it unless you go rather out of your way (and out of the norms of naming sysctl.d files). A name with no prefix that starts with a letter is similarly opinionated because all 'NN-<what>.conf' files will be ordered before it, making it equally hard to override it. You pretty much get to name your overriding config file something like 'zz-fix-debian.conf'.

In theory, one way to fix this is with dpkg-divert, by diverting the bad name to a good one ('10-protect-links.conf'). You could also use dpkg-statoverride to make the file mode 000, but that might cause various programs to complain. But locally we've just used a 'zz-<what>.conf' sysctl.d file name, since we already have to have a file to fix it.

(In Ubuntu, this only appeared in Ubuntu 20.04. It looks like Ubuntu 22.04 will likely just rename the file to '99-protect-links.conf'. For extra fun times, in 20.04, Ubuntu sets fs.protected_symlinks twice, once in /etc/sysctl.d/10-link-restrictions.conf and once in /usr/lib/sysctl.d/protect-links.conf. At least they took the former out of 22.04.)

PS: Yes, it's possible to come up with somewhat innocent explanations for this, based on an initial naming mistake and then backward compatibility with it to not 'weaken security'. I think that carrying on with this is still a mistake; it puts Debian at odds with sysadmins running Debian.

(This elaborates on a tweet.)


Comments on this page:

By someone at 2022-04-12 03:42:26:

I do wonder though: doesn't Debian's systemd package collide with these settings anyway?

https://github.com/systemd/systemd/tree/main/sysctl.d

Or does Debian strip this?

(Note that the upstream version in systemd, puts this at level 50-…, to make it overridable)

By Chris at 2022-04-18 17:12:00:

Or does Debian strip this?

Debian‘s systemd indeed does not ship these files. I believe this is due to „we must support more than one init“.

Written on 11 April 2022.
« A Linux PAM setup and the problem of stopping authentication
Mangling your distribution version in your Apt sources for fun and profit »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Mon Apr 11 22:14:36 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.