== How Debian's procps package is surprisingly opinionated The Linux kernel has a number of ``fs.*'' sysctls to restrict the ability to do various traditionally allowed things that have proven to (sometimes) be exploitable to create security vulnerabilities, as covered in [[sysctl/fs.txt https://www.kernel.org/doc/Documentation/sysctl/fs.txt]]. The kernel has had ``fs.protected_hardlinks'' and ``fs.protected_symlinks'' for some time, and Linux 4.19 added ``fs.protected_fifos'' and ``fs.protected_regular'' (see the details in [[the commit https://github.com/torvalds/linux/commit/30aba6656f]], and some vendors back-ported these new sysctls to their older kernels). In early February of 2018, the _procps_ package of what became Debian 'Buster' decided to turn some of these on. It did it by creating a sysctl.d file called 'protect-links.conf'. In Debian Buster this was in /etc/sysctl.d, in Debian Bullseye it was moved to /usr/lib/sysctl.d with the same file name, and [[relatively recently https://salsa.debian.org/debian/procps/-/commit/f6461bd6c5e476ac7cf089fdfce89560f926d964]] this file was renamed to '99-protect-links.conf'. Now let's digress to talk about the standard approach to naming files in /etc/sysctl.d and places like it. Files in these places are processed in lexicographical ('alphabetical') order, with later-ordered files potentially overriding earlier files. To make ordering predictable while preserving people's ability to name things freely, there is a convention of a two digit prefix on the name, like '10-ipv6-privacy.conf'. There's a further convention that such files provided by a package (such as procps) will have a low number prefix so that system administrators can easily override them with a high number prefix, eg '70-local-reverse-thing.conf'. We saw this before in [[Ubuntu's assorted procps /etc/sysctl.d additions UbuntuKernelLogLevels]]. A sysctl.d name that starts with '99-' is strongly opinionated, and its opinion is that you don't get to override it unless you go rather out of your way (and out of the norms of naming sysctl.d files). A name with no prefix that starts with a letter is similarly opinionated because all 'NN-.conf' files will be ordered before it, making it equally hard to override it. You pretty much get to name your overriding config file something like 'zz-fix-debian.conf'. In theory, one way to fix this is with [[dpkg-divert https://manpages.debian.org/bullseye/dpkg/dpkg-divert.1.en.html]], by diverting the bad name to a good one ('10-protect-links.conf'). You could also use [[dpkg-statoverride https://manpages.debian.org/bullseye/dpkg/dpkg-statoverride.1.en.html]] to make the file mode 000, but that might cause various programs to complain. But locally we've just used a 'zz-.conf' sysctl.d file name, since we already have to have a file to fix it. (In Ubuntu, this only appeared in Ubuntu 20.04. It looks like Ubuntu 22.04 will likely just rename the file to '99-protect-links.conf'. For extra fun times, in 20.04, Ubuntu sets ``fs.protected_symlinks'' twice, once in /etc/sysctl.d/10-link-restrictions.conf and once in /usr/lib/sysctl.d/protect-links.conf. At least they took the former out of 22.04.) PS: Yes, it's possible to come up with somewhat innocent explanations for this, based on an initial naming mistake and then backward compatibility with it to not 'weaken security'. I think that carrying on with this is still a mistake; it puts Debian at odds with sysadmins running Debian. (This elaborates on [[a tweet https://twitter.com/thatcks/status/1513577403112640529]].)