From: Craig Small <csmall@enc.com.au>
Date: Sat, 3 Mar 2018 07:56:20 +0000 (+1100)
Subject: misc: Add link protection examples to sysctl.conf
X-Git-Tag: v3.3.13rc1~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8517c86560e5729e73d8014da530b45f720f0c31;p=procps-ng

misc: Add link protection examples to sysctl.conf

Adds both examples to the sample sysctl.conf configuration file
to enable link protection for both hard and soft links.

Most kernels probably have this enabled anyhow.

References:
 https://bugs.debian.org/889098
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078
 https://github.com/torvalds/linux/commit/561ec64ae67ef25cac8d72bb9c4bfc955edfd415
---

diff --git a/sysctl.conf b/sysctl.conf
index 6559310a..e846a57d 100644
--- a/sysctl.conf
+++ b/sysctl.conf
@@ -57,3 +57,8 @@ net/ipv4/icmp_echo_ignore_broadcasts =1
 # This limits PID values to 4 digits, which allows tools like ps
 # to save screen space.
 kernel/pid_max=10000
+
+# Protects against creating or following links under certain conditions
+# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
+#fs.protected_hardlinks = 1
+#fs.protected_symlinks = 1