sysctl.conf: prevent unintentional writes into attacker-controlled files and FIFOs

[ipfire-2.x.git] / config / etc / sysctl.conf

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index d48c7734e2bf4c17377bb1d770a3cf178296785b..be7c07c857daafe58bbf67b11b4d026a54346a1a 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -49,6 +49,11 @@ kernel.dmesg_restrict = 1
 fs.protected_symlinks = 1
 fs.protected_hardlinks = 1
 
+# Don't allow writes to files and FIFOs that we don't own in world writable sticky
+# directories, unless they are owned by the owner of the directory.
+fs.protected_fifos = 2
+fs.protected_regular = 2
+
 # Minimal preemption granularity for CPU-bound tasks:
 # (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
 kernel.sched_min_granularity_ns = 10000000