Features/ServicesPrivateTmp

From FedoraProject

< Features
Revision as of 15:13, 8 November 2011 by Dwalsh (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Feature Name

Allow SELinux to turn off all processes ability to ptrace another process.

Summary

Run all services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would not have access to the services /tmp directory.


Owner

  • Email: dwalsh@redhat.com

Current status

  • Targeted release: [Fedora 17]
  • Last updated: Tue Nov 8 2011
  • Percentage of completion: 0%


Detailed Description

It seems to be a weekly occurrence of a new CVE for some app that uses /tmp insecurely.

Privileged services should stop using /tmp and /var/tmp. These services can potentially be interfered by unprivileged users, potentially leading to process escalation. The only server applications that need to use /tmp should be for communicating with users. For example the X server, and potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to

fix this.)  Most apps that rely on using /tmp to communicate with the user can be easily broken

by users having individual /tmp using pam_namespace.

systemd as of Fedora 16 has the ability to run system services with private /tmp and /var/tmp. I would like to propose that we make this the default in Fedora 17, or at least open a bugzilla on all system services that we know of that use /tmp and /var/tmp to make them use private /tmp and /var/tmp.

Benefit to Fedora

Fedora systems would be more secure, and mitigated against /tmp privilege escalation.

Scope

This change would start to turn on namespacing on more systems. Currently modifications to namespace would stop a running service from seeing changes to the "root" namespace. Currently we ship /etc/init.d/sandbox which remounts the / file system as shared, fixing this problem. We have an open bugzilla to change the mount command and kernel to handle this in the mount options which would be a preferable solution. Since it is less racy.

https://bugzilla.redhat.com/show_bug.cgi?id=712089

Systemd would have to change its default. systemd needs to change to be able to indicate to the admin where the services /tmp file is located in the "root" namespace.

I would open a bugzilla on all service domains that currently use /tmp to try to get them to stop, and inform them that this change it happening, so if they do not want the change, they would need to change their default unit file.

How To Test

Administrators that expect to find services /tmp data in /tmp will have to look in a new location. Sharing data via /tmp from a user to a system service or vice versa might be broken.

Documentation

Release Notes

Comments and Discussion