[LEDE-DEV] [PATCH V3] sysctl: Protect hard/symlinks by default.

Rosen Penev rosenp at gmail.com
Tue May 1 12:41:31 PDT 2018


There is no usecase for not protecting symlinks that I know of in OpenWrt.
Not even on desktop systems where you have multiple users with a shell.

Signed-off-by: Rosen Penev <rosenp at gmail.com>
---
v2: Move to 10-default.conf file.
v3: Edit patch description to be 75 characters per line.
 package/base-files/files/etc/sysctl.d/10-default.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/base-files/files/etc/sysctl.d/10-default.conf b/package/base-files/files/etc/sysctl.d/10-default.conf
index 98867b7..bfe26ca 100644
--- a/package/base-files/files/etc/sysctl.d/10-default.conf
+++ b/package/base-files/files/etc/sysctl.d/10-default.conf
@@ -5,6 +5,10 @@ kernel.panic=3
 kernel.core_pattern=/tmp/%e.%t.%p.%s.core
 fs.suid_dumpable=2
 
+#enable hard/symlink protection
+fs.protected_hardlinks=1
+fs.protected_symlinks=1
+
 net.ipv4.conf.default.arp_ignore=1
 net.ipv4.conf.all.arp_ignore=1
 net.ipv4.ip_forward=1
-- 
2.7.4




More information about the Lede-dev mailing list