From Fedora Project Wiki
Line 15: Line 15:
The basic idea is to provide better security to Fedora installs. Though Polyinstantiated /tmp has worked since Fedora 19, its not a single step process to configure it. Secondly people dont really understand its benifits. Because of this having it on by default makes more sense. It is completely transparent to the user, they wont even realize that it has been enabled.
The basic idea is to provide better security to Fedora installs. Though Polyinstantiated /tmp has worked since Fedora 19, its not a single step process to configure it. Secondly people dont really understand its benifits. Because of this having it on by default makes more sense. It is completely transparent to the user, they wont even realize that it has been enabled.


More references at:
The Red Hat Product Security Team assigns CWE ids to severe flaws (CVSSv2 > 7).  Here is a [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&bug_status=CLOSED&classification=Other&f1=status_whiteboard&list_id=2810982&o1=anywords&product=Security%20Response&query_format=advanced&v1=CWE-377 list of severe flaws caused by insecure tmp files ]
https://www.ibm.com/developerworks/library/l-polyinstantiation/


== Benefit to Fedora ==
== Benefit to Fedora ==

Revision as of 07:06, 8 September 2014

Enable Polyinstantiated /tmp and /var/tmp directories by default

Summary

Polyinstantiation of temperary directories is a pro-active security measure, which reduced chances of attacks caused due to the /tmp and /var/tmp directories being world-writable. These include flaws caused by predictive temp. file names, race conditions due to symbolic links etc.

Owner

Current status

Detailed Description

The basic idea is to provide better security to Fedora installs. Though Polyinstantiated /tmp has worked since Fedora 19, its not a single step process to configure it. Secondly people dont really understand its benifits. Because of this having it on by default makes more sense. It is completely transparent to the user, they wont even realize that it has been enabled.

The Red Hat Product Security Team assigns CWE ids to severe flaws (CVSSv2 > 7). Here is a list of severe flaws caused by insecure tmp files

Benefit to Fedora

As mentioned earlier main benefit is to provide more security to the underlying platform with minimum changes.

Scope

  • Proposal owners:

No work required to be done by proposal owner.

  • Other developers:
    • Add /tmp-inst and /var/tmp/tmp-inst to filesystem. (packagename: filesystem)
    • Enable namespaces in /etc/security/namespace.conf (packagename: PAM)
    • Enable proper selinux context and polyinstantiation_enabled boolean to be set (packagename: selinux-policy-targeted or selinux-policy)

Upgrade/compatibility impact

Everything should continue to work as normal after upgrade.

How To Test

  • No special hardware is required.
  • Install Fedora 22, with the changes incorporated in the above mentioned packages, create a non-root user, check if everything works as normal.
  • Create another user, login as the second user, create some files in /tmp and see if the first user is able to see it.
  • Repeat the above step for /var/tmp

User Experience

No change is user experience, its is completely transparent to the user.

Contingency Plan

  • Contingency mechanism: Roll back to non poly tmp, if something critical does not work
  • Contingency deadline: N/A
  • Blocks release? No

Documentation


Release Notes