SUSE Support

Here When You Need Us

Disabling fs.protected_hardlinks

This document (7024245) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server for SAP Applications
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
SUSE Enterprise Storage
SUSE CaaS Platform
SUSE Cloud
SUSE Cloud Application Platform

Situation

Customer wants to disable fs.protected_hardlinks 

Resolution

The kernel parameter fs.protected_hardlinks is active by default in SUSE products. 
This parameter prevents unprivileged users from creating hard-links to files that they do not own and protects from a variety of attacks. 

When choosing to deviate from the recommendation by disabling fs.protected_hardlinks this significantly reduces the security posture of the configuration. 

Some packages introduces users that are e.g. used to run as daemons. Especially when these users own directories that are then operated on by privileged processes (e.g. in post/pre sections of rpm files), this introduces the risk of local privilege escalation. 

Allowing unprivileged users to create hard-links to files that they do not own is rarely necessary. If there is such a use-case that requires this to be disabled, then SUSE advises to do this on a system that does not have local service accounts that could be compromised.

Cause

Hard-links are a useful, but sometimes dangerous construct. 
fs.protected_hardlinks is a hardening measure that is necessary to the security of SUSE systems

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7024245
  • Creation Date: 07-Nov-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.