From Fedora Project Wiki

< Features

Revision as of 13:33, 23 January 2012 by Rbergero (talk | contribs) (Moved to featureReadyForFesco, ticket #775)

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Feature Name

Change several dangerous domains to use PrivateTmp in their unit file.

Summary

Run some services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would not have access to the services /tmp directory.


Owner

  • Email: dwalsh@redhat.com

Current status

  • Targeted release: [Fedora 17]
  • Last updated: Tue Jan 17 2012
  • Percentage of completion: 75%


Detailed Description

It seems to be a weekly occurrence of a new CVE for some app that uses /tmp insecurely.

Privileged services should stop using /tmp and /var/tmp. These services can potentially be interfered by unprivileged users, potentially leading to process escalation. The only server applications that need to use /tmp should be for communicating with users. For example the X server, and potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to fix this.) Most apps that rely on using /tmp to communicate with the user can be easily broken by users having individual /tmp using pam_namespace.

systemd as of Fedora 16 has the ability to run system services with private /tmp. I would like to propose that we change most of the services that use /tmp to use PrivateTmp in Fedora 17

I have opened 48 bugs along with the blocker bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=782466

as a blocker bug for tracking system services that I believe use /tmp.

    • Note. systemd in Fedora 16 is currently broken. This feature requires systemd-38

Benefit to Fedora

Fedora systems would be more secure, and mitigated against /tmp privilege escalation.

Scope

This bugzilla is a blocker on all services that need to change their service unit file to include PrivateTmp=True

https://bugzilla.redhat.com/show_bug.cgi?id=782466

How To Test

Administrators that expect to find services /tmp data in /tmp will have to look in a new location. Sharing data via /tmp from a user to a system service or vice versa might be broken.

Documentation

Release Notes

Comments and Discussion

Retrieved from "https://fedoraproject.org/w/index.php?title=Features/ServicesPrivateTmp&oldid=268388"