Unexpected behaviour on output redirection after update to 20.04

[Colin Watson]

On Sun, Apr 26, 2020 at 09:21:26PM +0200, ubuntu-users-list at thomas.freit.ag wrote:
> since I updated from 19.10 to 20.04 on two machines, I have an unexpected behavior on output redirection, which fails for root (and worked before with 19.10):
> 
> To reproduce:
> 
> 1) create a file as user:
> user at host:~$ echo `date` > /var/tmp/testfile
> user at host:~$ ls -l /var/tmp/testfile
> -rw-rw-r-- 1 user group 33 Apr 26 20:56 /var/tmp/testfile
> 
> 2) redirect output as root to that file (append a line):
> root at host:~# echo `date` >> /var/tmp/testfile
> zsh: permission denied: /var/tmp/testfile
> 
> I would expect, that root could just append to any file on a local filesystem (ext4 in this case). This happens in bash as well.

The NEWS file for systemd 241 says:

        * The fs.protected_regular and fs.protected_fifos sysctls, which were
          added in Linux 4.19 to make some data spoofing attacks harder, are
          now enabled by default. While this will hopefully improve the
          security of most installations, it is technically a backwards
          incompatible change; to disable these sysctls again, place the
          following lines in /etc/sysctl.d/60-protected.conf or a similar file:

              fs.protected_regular = 0
              fs.protected_fifos = 0

          Note that the similar hardlink and symlink protection has been
          enabled since v199, and may be disabled likewise.

Here's the corresponding kernel documentation:

    protected_fifos:
    
    The intent of this protection is to avoid unintentional writes to
    an attacker-controlled FIFO, where a program expected to create a regular
    file.
    
    When set to "0", writing to FIFOs is unrestricted.
    
    When set to "1" don't allow O_CREAT open on FIFOs that we don't own
    in world writable sticky directories, unless they are owned by the
    owner of the directory.
    
    When set to "2" it also applies to group writable sticky directories.
    
    This protection is based on the restrictions in Openwall.

    ==============================================================

    protected_regular:
    
    This protection is similar to protected_fifos, but it
    avoids writes to an attacker-controlled regular file, where a program
    expected to create one.
    
    When set to "0", writing to regular files is unrestricted.
    
    When set to "1" don't allow O_CREAT open on regular files that we
    don't own in world writable sticky directories, unless they are
    owned by the owner of the directory.
    
    When set to "2" it also applies to group writable sticky directories.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]