On Tue, 8 Nov 2011 12:55:31 +0100
Lennart Poettering <mzerqung(a)0pointer.de> wrote:
On Mon, 07.11.11 21:53, Gregory Maxwell (gmaxwell(a)gmail.com) wrote:
> On Mon, Nov 7, 2011 at 8:48 PM, Lennart Poettering
> <mzerqung(a)0pointer.de> wrote:
> > If run on the main namespace all they see is that the files are
> > in some randomized subdir of /tmp, instead of /tmp itself.
>
> Is the randomization required? If they were named after the
> user/service that created them (perhaps with some randomization too
> e.g. /tmp/mount.fooservice.$random would be much more discoverable
> and maintainable then /tmp/$random. Systemctl show is good and
> needed for automation, but my brain stores more sysadmin trivial
> than I like already.
Well, that way attackers might still be able fool the admin: i.e. he
could create a directory with a service name and some randomized
suffix and the admin might blindly believe that this directory
belongs to the service, even if it doesn't, but belongs to the evil
attacker. Using a fully randomized name is a bit more secure here,
since the admin always needs to check the service first for the
actual directory.
But isn't the point of having namespaced /tmp that no network-facing
service is even able to create a directory in the main namespace?
In other words, if the attacker is able to create a directory in the
main namespace, you've already lost?
--Stijn