F22 System Wide Change: Enable Polyinstantiated /tmp and /var/tmp directories by default

"Jóhann B. Guðmundsson" johannbg at gmail.com
Tue Jan 20 12:06:33 UTC 2015 

On 01/20/2015 11:53 AM, Jaroslav Reznik wrote:
> = Proposed System Wide Change: Enable Polyinstantiated /tmp and /var/tmp
> directories by default =
> https://fedoraproject.org/wiki/Changes/Polyinstantiated_tmp_by_Default
>
> Change owner(s): Huzaifa Sidhpurwala <huzaifas at redhat.com>
>
> Polyinstantiation of temperary directories is a pro-active security measure,
> which reduced chances of attacks caused due to the /tmp and /var/tmp
> directories being world-writable. These include flaws caused by predictive
> temp. file names, race conditions due to symbolic links etc.
>
> == Detailed Description ==
> The basic idea is to provide better security to Fedora installs. Though
> Polyinstantiated /tmp has worked since Fedora 19, its not a single step
> process to configure it. Secondly people don't really understand its benefits.
> Because of this having it on by default makes more sense. It is completely
> transparent to the user, they wont even realize that it has been enabled.
>
> The Red Hat Product Security Team assigns CWE ids to severe flaws (CVSSv2 > 7).
> Here is a list of severe flaws caused by insecure tmp files [1].
>
> == Scope ==
> * Proposal owners: No work required to be done by proposal owner.
>
> * Other developers:
> ** Add /tmp-inst and /var/tmp/tmp-inst to filesystem. (packagename: filesystem)
> ** Enable namespaces in /etc/security/namespace.conf (packagename: PAM)
> ** Enable proper selinux context and polyinstantiation_enabled boolean to be
> set (packagename: selinux-policy-targeted or selinux-policy)
>
> * Release engineering: N/A
> * Policies and guidelines: N/A
>
> == Contingency Plan ==
> * Contingency mechanism: Poly tmp can be rolled back quite easily, by using
> the previous versions of packages which provides the old directory structures
> and old versions of the configuration files (poly tmp is just configuration and a
> few new directories). In releases earlier gnome-shell had issues with poly
> tmp, which now seems to be resolved. In any case, by Beta deadline if any
> blockers exists, we can easily remove this feature, by tagging previous
> versions of the affected packages, before the final spin.
>
> * Contingency deadline: Beta freeze
> * Blocks release? No
>
> [1] http://red.ht/1EkZ1gT
> ______________________________________________

Assuming this wont collide with existing setup systemd provides, what 
benefits does this provide over systemds /tmp /var/tmp setup and 
PrivateTmp?

JBG

More information about the devel mailing list