Re: [LEDE-DEV] [PATCH] sysctl: Protect hard/symlinks by default.

2018-05-01 Thread John Crispin 



On 30/04/18 22:15, Rosen Penev wrote:

There is no usecase for not protecting symlinks that I know of in OpenWrt. Not 
even on desktop systems where you have multiple users with a shell.

Hi,
patch descriptions should be wrapped at 75 chars
    John


Signed-off-by: Rosen Penev 

v2: Move to 10-default.conf file.
---
  package/base-files/files/etc/sysctl.d/10-default.conf | 4 
  1 file changed, 4 insertions(+)

diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf 
b/package/base-files/files/etc/sysctl.d/10-default.conf
index 98867b7..bfe26ca 100644
--- a/package/base-files/files/etc/sysctl.d/10-default.conf
+++ b/package/base-files/files/etc/sysctl.d/10-default.conf
@@ -5,6 +5,10 @@ kernel.panic=3
  kernel.core_pattern=/tmp/%e.%t.%p.%s.core
  fs.suid_dumpable=2
  
+#enable hard/symlink protection

+fs.protected_hardlinks=1
+fs.protected_symlinks=1
+
  net.ipv4.conf.default.arp_ignore=1
  net.ipv4.conf.all.arp_ignore=1
  net.ipv4.ip_forward=1



___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] [PATCH] sysctl: Protect hard/symlinks by default.

2018-04-30 Thread John Crispin 



On 30/04/18 22:15, Rosen Penev wrote:

There is no usecase for not protecting symlinks that I know of in OpenWrt. Not 
even on desktop systems where you have multiple users with a shell.

Signed-off-by: Rosen Penev 

v2: Move to 10-default.conf file.

Hi,
no need to resend but in future please put the v1->v2 info below the 
tear line (---) and add V2 to the description ([PATCH V2])

    John


---
  package/base-files/files/etc/sysctl.d/10-default.conf | 4 
  1 file changed, 4 insertions(+)

diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf 
b/package/base-files/files/etc/sysctl.d/10-default.conf
index 98867b7..bfe26ca 100644
--- a/package/base-files/files/etc/sysctl.d/10-default.conf
+++ b/package/base-files/files/etc/sysctl.d/10-default.conf
@@ -5,6 +5,10 @@ kernel.panic=3
  kernel.core_pattern=/tmp/%e.%t.%p.%s.core
  fs.suid_dumpable=2
  
+#enable hard/symlink protection

+fs.protected_hardlinks=1
+fs.protected_symlinks=1
+
  net.ipv4.conf.default.arp_ignore=1
  net.ipv4.conf.all.arp_ignore=1
  net.ipv4.ip_forward=1



___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH] sysctl: Protect hard/symlinks by default.

2018-04-30 Thread Rosen Penev 
There is no usecase for not protecting symlinks that I know of in OpenWrt. Not 
even on desktop systems where you have multiple users with a shell.

Signed-off-by: Rosen Penev 

v2: Move to 10-default.conf file.
---
 package/base-files/files/etc/sysctl.d/10-default.conf | 4 
 1 file changed, 4 insertions(+)

diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf 
b/package/base-files/files/etc/sysctl.d/10-default.conf
index 98867b7..bfe26ca 100644
--- a/package/base-files/files/etc/sysctl.d/10-default.conf
+++ b/package/base-files/files/etc/sysctl.d/10-default.conf
@@ -5,6 +5,10 @@ kernel.panic=3
 kernel.core_pattern=/tmp/%e.%t.%p.%s.core
 fs.suid_dumpable=2
 
+#enable hard/symlink protection
+fs.protected_hardlinks=1
+fs.protected_symlinks=1
+
 net.ipv4.conf.default.arp_ignore=1
 net.ipv4.conf.all.arp_ignore=1
 net.ipv4.ip_forward=1
-- 
2.7.4


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev