Sounds good to me. On Mon, Nov 7, 2011 at 12:50 PM, Daniel J Walsh <dwa...@redhat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > It seems to be a weekly occurrence of a new CVE for some app that uses > /tmp insecurely. > > I have been on a crusade for years to stop privileged services from > using /tmp and /var/tmp. These services can be potentially be > interfered by unprivileged users, potentially leading to process > escalation. The only server applications that need to use /tmp > should be for communicating with users. For example the X server, and > potentially apps that use kerberos for example sssd and nfs.gssd. > (Although maybe at some point we need to fix this.) Most apps that > rely on using /tmp to communicate with the user can be easily broken > by users having individual /tmp using pam_namespace. > > systemd as of Fedora 16 has the ability to run system services with > private /tmp and /var/tmp. I would like to propose that we make this > the default in Fedora 17, or at least open a bugzilla on all system > services that we know of that use /tmp and /var/tmp to make them use > private /tmp and /var/tmp. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEUEARECAAYFAk64NoYACgkQrlYvE4MpobN24ACfWMvhZHbb1CnClweGHM3C/dOY > zk0Al3mHos+80HsvUMmNnc9zxCQhHcg= > =Olg9 > -----END PGP SIGNATURE----- > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel
-- Kurt Seifried k...@seifried.org skype: (206) 905-9462 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel