Proposing Fedora Feature for private /tmp and /var/tmp for all systemd services in Fedora 17.
Lennart Poettering
mzerqung at 0pointer.de
Tue Nov 8 01:48:58 UTC 2011
On Mon, 07.11.11 19:15, Chris Adams (cmadams at hiwaay.net) wrote:
> Once upon a time, Lennart Poettering <mzerqung at 0pointer.de> said:
> > Yes, since they are created as subdirectories of the real / with mkdtemp()
> > and thus can be found there like any other directory if you are running
> > in the main namespaces.
> >
> > No, since there's currently no sane way to figure out the private /tmp
> > directory of a running service. i.e. there's currently no sane way to
> > figure out which directory in /tmp appears as /tmp to
> > avahi-daemon.service. So, while you see all the subdirs, you'll have a
> > hard time to figure out which one is which one.
>
> So are they subdirectories of / or /tmp?
The latter.
> How do standard tools like fuser and lsof see them?
If run on the main namespace all they see is that the files are in some
randomized subdir of /tmp, instead of /tmp itself.
> I'm thinking of cases like "daemon gets cracked", where script-kiddie
> starts downloading attempted rootkits into /tmp, or where luser does
> something that starts filling up the disk, etc. If fuser/lsof can
> tell me correctly which process is accessing that directory, that's
> probably good enough.
Yes, this works as it always did. We made sure that the behaviour change
is as minimal as possible and all the accounting and discoverability is
unchanged.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the devel
mailing list