(first draft) |
(→Detailed Description: use wiki syntax for wiki link) |
||
Line 20: | Line 20: | ||
== Detailed Description == | == Detailed Description == | ||
''[http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_namespace.html pam_namespace]'' can be used to bind mount separate directories for each user at login time to the targetted directories. An [ | ''[http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_namespace.html pam_namespace]'' can be used to bind mount separate directories for each user at login time to the targetted directories. An [[Infrastructure/FedoraPeopleConfig#polyinstantiated_tempdirs |example setup]] is deployed at the fedorapeople server. | ||
== Benefit to Fedora == | == Benefit to Fedora == |
Revision as of 13:42, 27 May 2009
Feature Name
Polyinstantiated Temporary Directories
Summary
Polyinstatiate temporary directories for different users to avoid risks comming with insecure tempfile creation. Targetted directories are at least /tmp, /var/tmp and maybe /dev/shm.
Owner
- Name: Your Name
- email: <your email address so we can contact you, invite you to meetings, etc.>
Current status
- Targeted release: Fedora 42
- Last updated: (DATE)
- Percentage of completion: XX%
Detailed Description
pam_namespace can be used to bind mount separate directories for each user at login time to the targetted directories. An example setup is deployed at the fedorapeople server.
Benefit to Fedora
It increases the security of a system, because it mitigates insecure tempfile attacks, because users can only access their own temporary directories.
Scope
It has to be decided which directories should be polyinstantiated and a configuration for pam_namespace needs to be created. Probably this needs to be included in some system-config tool to enable/disable this easily.
How To Test
Special Requirements
None
System Preparation
TBD
Testing Actions
Login with two user accounts, create a files in each targetted directory as the first user and try to access the files as the other user.
Expected Results
The user should not see or be able to access the created files in the targetted diretories.
User Experience
Users will see different contents at the targetted directories, which may irritate them when they try to exchange files between two user accounts. On the other hand they are protected in case they create a temporary file with insecure permissions or with a guessable filename.
Dependencies
Contingency Plan
Documentation
Release Notes
Comments and Discussion