We have an NFS export for any of our users to install and maintain useful software for the network mounted at /public on our clients. On the NFS server, this directory is world writable with the sticky bit set(like /tmp).
One of the users of this service has a symbolic link in /public to an executable file. Since we upgraded our workstations from Ubuntu 9.04 to 10.10, we get permission denied when we try to execute this file via the symbolic link. If we remove the sticky bit, we no longer get permission denied.
I haven't found anything in our logs or dmesg. Is this an app armor feature or a bug introduced between Ubuntu 9.04 and 10.10?
You probably see the effect of symlink security hardening introduced since Ubuntu 10.10. This feature can be turned off through
/proc/sys/kernel/yama/protected_sticky_symlinks
.On Debian, this feature can be turned off by adding the following to
/etc/sysctl.conf
:Yet another variation on this theme is
kernel.grsecurity.linking_restrictions
— this is one of many sysctl options added by the grsecurity patch.Currently (2012-04-19) the symlink protection feature has not been merged in the upstream kernel, although there is some recent effort to merge the Debian variation of the patch (together with some other hardening changes).
My Linux Mint Debian box seems to be have experience something very similar to the symlink security hardening that Sergey described in his answer.
If you're running Debian, add the following to your
/etc/sysctl.conf
:do this, and attach here:
also, take a look at following: SettingUpNFSHowTo - Community Ubuntu Documentation