(7 intermediate revisions by 3 users not shown) | |||
Line 16: | Line 16: | ||
== Current status == | == Current status == | ||
* Targeted release: [Fedora 17] | * Targeted release: [Fedora 17] | ||
* Last updated: Tue | * Last updated: Tue Feb 15 2012 | ||
* Percentage of completion: | * Percentage of completion: 100% | ||
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --> | <!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --> | ||
Line 33: | Line 33: | ||
by users having individual /tmp using pam_namespace. | by users having individual /tmp using pam_namespace. | ||
systemd as of Fedora 16 has the ability to run system services with private | systemd as of Fedora 16 has the ability to run system services with private /tmp. I would like to propose that we change most of the services that use /tmp to use PrivateTmp in Fedora 17. In the unit file, this is done with: | ||
[Service] | |||
PrivateTmp=true | |||
I have opened 48 bugs along with the blocker bugzilla | |||
https://bugzilla.redhat.com/show_bug.cgi?id=782466 | |||
as a blocker bug for tracking system services that I believe use /tmp. | |||
** Note. systemd in Fedora 16 is currently broken. This feature requires systemd-38 | ** Note. systemd in Fedora 16 is currently broken. This feature requires systemd-38 | ||
Line 69: | Line 76: | ||
== Comments and Discussion == | == Comments and Discussion == | ||
* See [[Talk:Features/ | * See [[Talk:Features/ServicesPrivateTmp]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | ||
[[Category: | [[Category:FeatureAcceptedF17]] | ||
<!-- When your feature page is completed and ready for review --> | <!-- When your feature page is completed and ready for review --> | ||
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | ||
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | ||
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> |
Latest revision as of 15:18, 15 February 2012
Feature Name
Change several dangerous domains to use PrivateTmp in their unit file.
Summary
Run some services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would not have access to the services /tmp directory.
Owner
- Name: Daniel J Walsh
- Email: dwalsh@redhat.com
Current status
- Targeted release: [Fedora 17]
- Last updated: Tue Feb 15 2012
- Percentage of completion: 100%
Detailed Description
It seems to be a weekly occurrence of a new CVE for some app that uses /tmp insecurely.
Privileged services should stop using /tmp and /var/tmp. These services can potentially be interfered by unprivileged users, potentially leading to process escalation. The only server applications that need to use /tmp should be for communicating with users. For example the X server, and potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to fix this.) Most apps that rely on using /tmp to communicate with the user can be easily broken by users having individual /tmp using pam_namespace.
systemd as of Fedora 16 has the ability to run system services with private /tmp. I would like to propose that we change most of the services that use /tmp to use PrivateTmp in Fedora 17. In the unit file, this is done with:
[Service] PrivateTmp=true
I have opened 48 bugs along with the blocker bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=782466
as a blocker bug for tracking system services that I believe use /tmp.
- Note. systemd in Fedora 16 is currently broken. This feature requires systemd-38
Benefit to Fedora
Fedora systems would be more secure, and mitigated against /tmp privilege escalation.
Scope
This bugzilla is a blocker on all services that need to change their service unit file to include PrivateTmp=True
https://bugzilla.redhat.com/show_bug.cgi?id=782466
How To Test
Administrators that expect to find services /tmp data in /tmp will have to look in a new location. Sharing data via /tmp from a user to a system service or vice versa might be broken.