| Message ID | 152160365430.8288.18072489901853791592.stgit@magnolia (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On 3/20/18 10:40 PM, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@oracle.com> > > Don't make /tmp private when invoking xfs_scrub as a service, because > /tmp might contain or itself be an xfs filesystem mountpoint. Could you please add a comment to this so that future security analysts don't change it back? :) # xfs_scrub doesn't even use /tmp but <this is why we do this here> > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > --- > scrub/xfs_scrub@.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > > diff --git a/scrub/xfs_scrub@.service.in b/scrub/xfs_scrub@.service.in > index c14f813..9e6206a 100644 > --- a/scrub/xfs_scrub@.service.in > +++ b/scrub/xfs_scrub@.service.in > @@ -9,7 +9,7 @@ WorkingDirectory=%I > PrivateNetwork=true > ProtectSystem=full > ProtectHome=read-only > -PrivateTmp=yes > +PrivateTmp=no > AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO > NoNewPrivileges=yes > User=nobody > > -- > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Apr 10, 2018 at 08:45:23PM -0500, Eric Sandeen wrote: > > > On 3/20/18 10:40 PM, Darrick J. Wong wrote: > > From: Darrick J. Wong <darrick.wong@oracle.com> > > > > Don't make /tmp private when invoking xfs_scrub as a service, because > > /tmp might contain or itself be an xfs filesystem mountpoint. > > Could you please add a comment to this so that future security analysts > don't change it back? :) # Disable private /tmp just in case %i is a path under /tmp. --D > # xfs_scrub doesn't even use /tmp but <this is why we do this here> > > > > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > > --- > > scrub/xfs_scrub@.service.in | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/scrub/xfs_scrub@.service.in b/scrub/xfs_scrub@.service.in > > index c14f813..9e6206a 100644 > > --- a/scrub/xfs_scrub@.service.in > > +++ b/scrub/xfs_scrub@.service.in > > @@ -9,7 +9,7 @@ WorkingDirectory=%I > > PrivateNetwork=true > > ProtectSystem=full > > ProtectHome=read-only > > -PrivateTmp=yes > > +PrivateTmp=no > > AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO > > NoNewPrivileges=yes > > User=nobody > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/scrub/xfs_scrub@.service.in b/scrub/xfs_scrub@.service.in index c14f813..9e6206a 100644 --- a/scrub/xfs_scrub@.service.in +++ b/scrub/xfs_scrub@.service.in @@ -9,7 +9,7 @@ WorkingDirectory=%I PrivateNetwork=true ProtectSystem=full ProtectHome=read-only -PrivateTmp=yes +PrivateTmp=no AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO NoNewPrivileges=yes User=nobody