Features/ServicesPrivateTmp

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Detailed Description)
(Comments and Discussion)
Line 75: Line 75:
 
== Comments and Discussion ==
 
== Comments and Discussion ==
 
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 +
* Kerberos Problems:
 +
Kerberos has stored the CC file in /tmp since it was invented.  Certain priv apps like rpc.gssd and sssd want to use the users /tmp for reading or creation of those files.
  
 +
If the user has a different /tmp then rpc.gssd or sssd, these tools will fail.
 +
I am working with the sssd/kerberos teams to move the default location for credential cache files to /run/user/USERNAME/
 +
Perhaps a feature of Fedora 18.
 +
 +
Replay Cache files are currently stored in /var/tmp so this should not be a problem.
  
 
[[Category:FeatureReadyForWrangler]]
 
[[Category:FeatureReadyForWrangler]]

Revision as of 19:47, 19 January 2012

Contents

Feature Name

Change several dangerous domains to use PrivateTmp in their unit file.

Summary

Run some services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would not have access to the services /tmp directory.


Owner

  • Email: dwalsh@redhat.com

Current status

  • Targeted release: [Fedora 17]
  • Last updated: Tue Jan 17 2012
  • Percentage of completion: 75%


Detailed Description

It seems to be a weekly occurrence of a new CVE for some app that uses /tmp insecurely.

Privileged services should stop using /tmp and /var/tmp. These services can potentially be interfered by unprivileged users, potentially leading to process escalation. The only server applications that need to use /tmp should be for communicating with users. For example the X server, and potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to fix this.) Most apps that rely on using /tmp to communicate with the user can be easily broken by users having individual /tmp using pam_namespace.

systemd as of Fedora 16 has the ability to run system services with private /tmp. I would like to propose that we change most of the services that use /tmp to use PrivateTmp in Fedora 17

I have opened 48 bugs along with the blocker bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=782466

as a blocker bug for tracking system services that I believe use /tmp.

    • Note. systemd in Fedora 16 is currently broken. This feature requires systemd-38

Benefit to Fedora

Fedora systems would be more secure, and mitigated against /tmp privilege escalation.

Scope

This bugzilla is a blocker on all services that need to change their service unit file to include PrivateTmp=True

https://bugzilla.redhat.com/show_bug.cgi?id=782466

How To Test

Administrators that expect to find services /tmp data in /tmp will have to look in a new location. Sharing data via /tmp from a user to a system service or vice versa might be broken.

Documentation

Release Notes

Comments and Discussion

Kerberos has stored the CC file in /tmp since it was invented. Certain priv apps like rpc.gssd and sssd want to use the users /tmp for reading or creation of those files.

If the user has a different /tmp then rpc.gssd or sssd, these tools will fail. I am working with the sssd/kerberos teams to move the default location for credential cache files to /run/user/USERNAME/ Perhaps a feature of Fedora 18.

Replay Cache files are currently stored in /var/tmp so this should not be a problem.