Ubuntu
systemd package

Drop setting fs.protected_regular and fs.protected_fifos from sysctl defaults shipped by systemd

Bug #1845637 reported by Balint Reczey
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned
systemd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Those settings are typically set by the kernel in Ubuntu.

CVE References

Revision history for this message
Balint Reczey (rbalint) wrote :

Those defaults should probably be set by Linux, hence marking linux package as affected.
With the systemd packaging dropping the new setting originating from systemd upstream Ubuntu's defaults become less secure in this area compared to other distros leaving upstream defaults applied, thus I also mark this bug as a public security issue.

information type: Public → Public Security
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1845637

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Balint Reczey (rbalint) wrote :

This is not a bug where logs can be collected.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 242-7ubuntu1

---------------
systemd (242-7ubuntu1) eoan; urgency=medium

  * Merge from unstable
  * UBUNTU: drop setting fs.protected_regular and fs.protected_fifos from
    sysctl defaults shipped by systemd (LP: #1845637)
    File: debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6e583847b04c3f83a50f3bd6947dcae6a73d8388
  * test-execute: Filter /dev/.lxc in exec-dynamicuser-statedir.service.
    It appears in nested LXC containers and broke the armhf autopkgtest.
    (LP: #1845337)
    File: debian/patches/test-execute-Filter-dev-.lxc-in-exec-dynamicuser-statedir.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=75af888d5552f706b86182a56f12ccc8e83ca04e

systemd (242-7) unstable; urgency=medium

  * sleep: properly pass verb to sleep script
  * core: factor root_directory application out of apply_working_directory.
    Fixes RootDirectory not working when used in combination with User.
    (Closes: #939408)
  * shared/bus-util: drop trusted annotation from
    bus_open_system_watch_bind_with_description().
    This ensures that access controls on systemd-resolved's D-Bus interface
    are enforced properly.
    (CVE-2019-15718, Closes: #939353)

 -- Balint Reczey <email address hidden> Wed, 02 Oct 2019 14:13:28 +0200

Changed in systemd (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.