On Mon, 07.11.11 14:50, Daniel J Walsh (dwa...@redhat.com) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > It seems to be a weekly occurrence of a new CVE for some app that uses > /tmp insecurely. > > I have been on a crusade for years to stop privileged services from > using /tmp and /var/tmp. These services can be potentially be > interfered by unprivileged users, potentially leading to process > escalation. The only server applications that need to use /tmp > should be for communicating with users. For example the X server, and > potentially apps that use kerberos for example sssd and nfs.gssd. > (Although maybe at some point we need to fix this.) Most apps that > rely on using /tmp to communicate with the user can be easily broken > by users having individual /tmp using pam_namespace. > > systemd as of Fedora 16 has the ability to run system services with > private /tmp and /var/tmp. I would like to propose that we make this > the default in Fedora 17, or at least open a bugzilla on all system > services that we know of that use /tmp and /var/tmp to make them use > private /tmp and /var/tmp.
I am all for this, but there are two problems I see: a) We currently default to non-shared mount propagation for /. Since the private /tmp feature opens a new namespace for those service new mounts won't be visible to the service. Most folks involved agree that we should default to shared mount propagation instead, but the problem is that there is currently no nice way to do this. The clean solution would be to make mount propagation a kernel mount option like any other, so that we could just list the default for / as mount option in fstab. Only that would make the default setting race free and sufficiently generic. So, the clean solution would require some kernel patching, and on the plumbers wishlist this is quite far up, but so far nobody has volunteered to do something about this one. A short-term hack could be to manually invoke mount on / to remount it with shared prop, in a hacked service that just does that and nothing else. Another option might be to simply ignore the problem... b) We need to make clear that some services have to and may opt out of this, for example prefdm.service, since the X11 sockets need to be accessible by other users (as Dan already points out above). And of course, normal users should not get a private tmp by default, since the traditional definition of /tmp is that it is can be used to share files between users. But yupp, I am all for this and would be happy to change the default for PrivateTmp= in service files from "no" to "yes" upstream. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
