Published: 29 January 2018
systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.
CVSS 3 base score: 7.8
Launchpad, Ubuntu, Debian
|Ubuntu 16.04 ESM (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
mitigated by fs.protected_hardlinks = 1
patch simply refuses to set hardlink file permissions if the kernel hardening feature is turned off, which may result in breakage. We will not be releasing an update for this issue as our default configuration is not vulnerable.