Features/ServicesPrivateTmp

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Systemd should run all services with a private /tmp by default.)
 
(Current status)
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
= Feature Name <!-- The name of your feature --> =
 
= Feature Name <!-- The name of your feature --> =
Allow SELinux to turn off all processes ability to ptrace another process.
+
Change several dangerous domains to use PrivateTmp in their unit file.
 
== Summary ==
 
== Summary ==
 
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
 
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
Run all services started by systemd with a private /tmp directory.  This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would  
+
Run some services started by systemd with a private /tmp directory.  This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would  
 
not have access to the services /tmp directory.
 
not have access to the services /tmp directory.
 
   
 
   
Line 16: Line 16:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [Fedora 17]  
 
* Targeted release: [Fedora 17]  
* Last updated: Tue Nov 8 2011
+
* Last updated: Tue Feb 15 2012
* Percentage of completion: 0%
+
* Percentage of completion: 100%
  
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
Line 30: Line 30:
 
applications that need to use /tmp should be for communicating with users.  For example the X server, and
 
applications that need to use /tmp should be for communicating with users.  For example the X server, and
 
potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to
 
potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to
fix this.)  Most apps that rely on using /tmp to communicate with the user can be easily broken
+
fix this.)  Most apps that rely on using /tmp to communicate with the user can be easily broken
 
by users having individual /tmp using pam_namespace.
 
by users having individual /tmp using pam_namespace.
  
systemd as of Fedora 16 has the ability to run system services with private /tmp and /var/tmp.  I would like to propose that we make this the default in Fedora 17, or at least open a bugzilla on all system services that we know of that use /tmp and /var/tmp to make them use private /tmp and /var/tmp.
+
systemd as of Fedora 16 has the ability to run system services with private /tmp.  I would like to propose that we change most of the services that use /tmp to use PrivateTmp in Fedora 17.  In the unit file, this is done with:
 +
[Service]
 +
PrivateTmp=true
 +
 
 +
I have opened 48 bugs along with the blocker bugzilla
 +
https://bugzilla.redhat.com/show_bug.cgi?id=782466
 +
 
 +
as a blocker bug for tracking system services that I believe use /tmp.
 +
 
 +
** Note.  systemd in Fedora 16 is currently broken.  This feature requires systemd-38
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Line 41: Line 50:
 
== Scope ==
 
== Scope ==
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
This change would start to turn on namespacing on more systems.  Currently modifications to namespace would stop a running service from seeing changes to the "root" namespace.  Currently we ship /etc/init.d/sandbox which remounts the / file system as shared, fixing this problem.  We have an open bugzilla to change the mount command and kernel to handle this in the mount options which would be a preferable solution.  Since it is less racy.
 
 
https://bugzilla.redhat.com/show_bug.cgi?id=712089
 
  
Systemd would have to change its default.  systemd needs to change to be able to indicate to the admin where the services /tmp file is located in the "root" namespace. 
+
This bugzilla is a blocker on all services that need to change their service unit file to include PrivateTmp=True
  
I would open a bugzilla on all service domains that currently use /tmp to try to get them to stop, and inform them that this change it happening, so if they do not want the change, they would need to change their default unit file.
+
https://bugzilla.redhat.com/show_bug.cgi?id=782466
  
 
== How To Test ==
 
== How To Test ==
Line 70: Line 76:
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
+
* See [[Talk:Features/ServicesPrivateTmp]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
  
  
[[Category:FeaturePageIncomplete]]
+
[[Category:FeatureAcceptedF17]]
 
<!-- When your feature page is completed and ready for review -->
 
<!-- When your feature page is completed and ready for review -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 15:18, 15 February 2012

Contents

[edit] Feature Name

Change several dangerous domains to use PrivateTmp in their unit file.

[edit] Summary

Run some services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would not have access to the services /tmp directory.


[edit] Owner

  • Email: dwalsh@redhat.com

[edit] Current status

  • Targeted release: [Fedora 17]
  • Last updated: Tue Feb 15 2012
  • Percentage of completion: 100%


[edit] Detailed Description

It seems to be a weekly occurrence of a new CVE for some app that uses /tmp insecurely.

Privileged services should stop using /tmp and /var/tmp. These services can potentially be interfered by unprivileged users, potentially leading to process escalation. The only server applications that need to use /tmp should be for communicating with users. For example the X server, and potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to fix this.) Most apps that rely on using /tmp to communicate with the user can be easily broken by users having individual /tmp using pam_namespace.

systemd as of Fedora 16 has the ability to run system services with private /tmp. I would like to propose that we change most of the services that use /tmp to use PrivateTmp in Fedora 17. In the unit file, this is done with:

[Service]
PrivateTmp=true

I have opened 48 bugs along with the blocker bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=782466

as a blocker bug for tracking system services that I believe use /tmp.

    • Note. systemd in Fedora 16 is currently broken. This feature requires systemd-38

[edit] Benefit to Fedora

Fedora systems would be more secure, and mitigated against /tmp privilege escalation.

[edit] Scope

This bugzilla is a blocker on all services that need to change their service unit file to include PrivateTmp=True

https://bugzilla.redhat.com/show_bug.cgi?id=782466

[edit] How To Test

Administrators that expect to find services /tmp data in /tmp will have to look in a new location. Sharing data via /tmp from a user to a system service or vice versa might be broken.

[edit] Documentation

[edit] Release Notes

[edit] Comments and Discussion