3

We have an NFS export for any of our users to install and maintain useful software for the network mounted at /public on our clients. On the NFS server, this directory is world writable with the sticky bit set(like /tmp).

One of the users of this service has a symbolic link in /public to an executable file. Since we upgraded our workstations from Ubuntu 9.04 to 10.10, we get permission denied when we try to execute this file via the symbolic link. If we remove the sticky bit, we no longer get permission denied.

I haven't found anything in our logs or dmesg. Is this an app armor feature or a bug introduced between Ubuntu 9.04 and 10.10?

Jeff Strunk
  • 2,127
  • 1
  • 24
  • 29
  • You don't mention what happens if you take the symlink out of the equation. Can you execute /the/full/path? Also, can you cd to /the/path and ./execute the file? – Chris Apr 17 '12 at 19:34
  • I'm not sure what the etiquette is for editing someone else's question, but since I tagged on the bounty I'll at least answer in the comments. For me I can execute the full path, and I have execute permissions on the folder the symlink is in. Symlink permissions are lrwxrwxrwx. For me, this stopped working after upgrading my Linux Mint Debian to the latest upgrade package. – Jeff Apr 17 '12 at 20:11

3 Answers3

4

You probably see the effect of symlink security hardening introduced since Ubuntu 10.10. This feature can be turned off through /proc/sys/kernel/yama/protected_sticky_symlinks.

On Debian, this feature can be turned off by adding the following to /etc/sysctl.conf:

fs.protected_symlinks = 0

Yet another variation on this theme is kernel.grsecurity.linking_restrictions — this is one of many sysctl options added by the grsecurity patch.

Currently (2012-04-19) the symlink protection feature has not been merged in the upstream kernel, although there is some recent effort to merge the Debian variation of the patch (together with some other hardening changes).

Pang
  • 273
  • 3
  • 8
Sergey Vlasov
  • 6,288
  • 1
  • 21
  • 30
1

My Linux Mint Debian box seems to be have experience something very similar to the symlink security hardening that Sergey described in his answer.

If you're running Debian, add the following to your /etc/sysctl.conf:

fs.protected_symlinks = 0
Jeff
  • 360
  • 1
  • 2
  • 11
  • Why not edit Sergey's answer to include this detail? It sounds like he was on the right track, so you could make the answer more complete and then accept it. – amcnabb Apr 18 '12 at 15:46
  • @amcnabb Well, this Jeff isn't the Jeff that asked the original question, so I can't technically accept his answer. And I believe if I found an answer that can be useful for myself and others, I deserve the upvotes for it :) – Jeff Apr 19 '12 at 07:22
0

do this, and attach here:

cat /etc/exports

also, take a look at following: SettingUpNFSHowTo - Community Ubuntu Documentation

alexus
  • 13,112
  • 32
  • 117
  • 174