Protected File Links (Kernel Symlink/Hardlink Protection)
Description
Enable the kernel filesystem link protection sysctls to prevent exploitation of TOCTOU race conditions and symlink following attacks in world-writable sticky directories. fs.protected_symlinks=1 prevents following symlinks in sticky world-writable directories (e.g., /tmp) unless the follower owns the symlink, the directory owner matches, or the symlink target owner matches. fs.protected_hardlinks=1 prevents creating hardlinks to files not owned by the caller, blocking hardlink-based TOCTOU and privilege escalation attacks. fs.protected_regular=2 and fs.protected_fifos=2 extend protection to regular files and FIFOs in sticky directories. These sysctls are enabled by default on RHEL 7+ but may be modified by administrators or overridden by third-party configurations.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | The most common filesystem TOCTOU and symlink following pattern — symlink or hardlink swap in a sticky world-writable directory like /tmp between a privileged process check and use — is blocked at the kernel level. The attacker must find a TOCTOU target outside of protected directories, exploit a race that does not involve filesystem links, or resort to more complex techniques such as procfs-based redirects. This significantly increases the complexity required for successful exploitation. |
CWE Relationships
Verification
Verify that all four protected file link sysctls are enabled. Check sysctl runtime values and persistence configuration.
# Expected: fs.protected_symlinks = 1
# Expected: fs.protected_hardlinks = 1
# Expected: fs.protected_regular = 2
# Expected: fs.protected_fifos = 2