[redhat-lspp] New pam src rpm with namespace
Klaus Weidner
klaus at atsec.com
Sun Feb 19 17:12:09 UTC 2006
On Sun, Feb 19, 2006 at 07:23:21PM +1100, Russell Coker wrote:
> Incidentally one of the guys who's involved with OpenSSH development
> suggested to me that there's a reasonable chance of getting the SE Linux
> patches accepted into the portable tree. If we can get the code for
> this feature working in the best possible manner and provide some
> security benefits for non-SE systems then maybe we can get it included
> as well.
A per-user polyinstantiated /tmp and /var/tmp could be a security benefit
even without SELinux if it can prevent temp file exploits. The current
implementation isn't quite there yet since everybody's tmp directory is
still present and world writable when newly created. Changing permissions
for the polyinstantiated dir would fix that though, or maybe bind
$HOME/tmp/ as /tmp/ and /var/tmp/ for each user?
-Klaus
More information about the redhat-lspp
mailing list