diff options
| author | Lucas Werkmeister <mail@lucaswerkmeister.de> | 2019-01-16 00:16:10 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-01-16 12:22:01 +0100 |
| commit | 2732587540035227fe59e4b64b60127352611b35 (patch) | |
| tree | 66ca47a68162107ad0533a2320ef9af38c005c59 /NEWS | |
| parent | 850115b3a1119c87f14ecb7634615632ef0b1933 (diff) | |
| download | systemd-2732587540035227fe59e4b64b60127352611b35.tar.gz | |
Enable regular file and FIFO protection
These sysctls were added in Linux 4.19 (torvalds/linux@30aba6656f), and
we should enable them just like we enable the older hardlink/symlink
protection since v199. Implements #11414.
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -29,6 +29,19 @@ CHANGES WITH 241 in spe: -Db_pie=true option to meson to build position-independent executables. Note that the meson option is supported since meson-0.49. + * The fs.protected_regular and fs.protected_fifos sysctls, which were + added in Linux 4.19 to make some data spoofing attacks harder, are + now enabled by default. While this will hopefully improve the + security of most installations, it is technically a backwards + incompatible change; to disable these sysctls again, place the + following lines in /etc/sysctl.d/60-protected.conf or a similar file: + + fs.protected_regular = 0 + fs.protected_fifos = 0 + + Note that the similar hardlink and symlink protection has been + enabled since v199, and may be disabled likewise. + CHANGES WITH 240: * NoNewPrivileges=yes has been set for all long-running services |