A lot of times certificates and keys are set up in a way they can
be rotated by changing symlinks. For example, this is common when
using Let's Encrypt with certbot, where the canonical location for
key material is /etc/letsencrypt/live//privkey.pem, which
are symlinks to
/etc/letsencrypt/archive//privkey$GENERATION.pem. Every time
the certificate gets renewed, the symlinks are updated.
Our security reviewers agree that there is no need for the extra restriction, as most modern Linux distributions have fs.protected_symlinks to prevent TOCTOU symlink vulnerabilities.
WanzenBug says:
Our security reviewers agree that there is no need for the extra restriction, as most modern Linux distributions have fs.protected_symlinks to prevent TOCTOU symlink vulnerabilities.
Addresses Issue #37.