enhance security via private TMP/TMPDIR by default
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Wed May 18 18:15:48 UTC 2005
walters at redhat.com (Colin Walters) writes:
> There's actually been some work going on on giving each user their
> own /tmp namespace via the kernel's CLONE_NEWNS capability and a PAM
> module, AIUI. To the system administrator this could appear as
> /tmp/<username>. I think the problem is in getting later mounts to
> actually appear in the cloned namespace.
This CLONE_NEWNS and (related) 'mount --bind' operations are not very
well supported by the kernel:
* there does not exist a way to enter an already existing namespace; so,
e.g. two different ssh sessions would have different /tmp directories
* namespaces are causing problems with automounters
* 'mount --bind' does not accept/honor options like 'noatime' or 'noexec'
(which could be usefully e.g. to mount $HOME/tmp as /tmp). Patches are
existing but responsible kernel maintainer refuses to apply them :(
* CLONE_NEWNS + 'mount --bind' are not very well documented and it is
often unclear whether strange behavior is expected or not. E.g. it may
happen that '/' and '/..' are pointing to different inodes; dunno if
this is wanted or not.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050518/ba43cb50/attachment.sig>
More information about the fedora-devel-list
mailing list