And see also this potentially useful tutorial, which mentions these sysctl settings, among other tips...
https://blog.frehi.be/2019/01/30/linux-security-hardening-recommendations/
Gilbert
On 2020-01-02 11:22 a.m., Gilbert E. Detilllieux wrote:
See also...
https://www.spinics.net/lists/fedora-devel/msg252452.html
Thanks, Trevor, for bringing this to our attention. I was not even aware of these new sysctl settings and kernel features. I can see why they'd be desirable from a security perspective, but it does break compatibility, possibly for some legitimate but obscure use cases.
Gilbert
On 2019-12-30 11:57 p.m., Trevor Cordes wrote:
After much kernel bisecting by me that yielded nothing of value, it turns out the bug isn't the kernel, it's a change in Fedora's default sysctl.conf settings between F29 and F30 that enable a new-ish kernel "feature". The "feature" turns on this behavior.
Thanks to Andrew Morton and especially Al Viro for figuring this out for me as I'm pretty sure a sysctl of some obscure feature would have been the last place I would have looked!
The solution is: echo 0 >> /proc/sys/fs/protected_regular
The new feature is (and it may be systemd deciding this):
- The fs.protected_regular and fs.protected_fifos sysctls, which were
added in Linux 4.19 to make some data spoofing attacks harder, are now enabled by default. While this will hopefully improve the security of most installations, it is technically a backwards incompatible change; to disable these sysctls again, place the following lines in /etc/sysctl.d/60-protected.conf or a similar file: fs.protected_regular = 0 fs.protected_fifos = 0
The bz is: https://bugzilla.kernel.org/show_bug.cgi?id=205727