F22 System Wide Change: Enable Polyinstantiated /tmp and /var/tmp directories by default

Huzaifa Sidhpurwala huzaifas at redhat.com
Wed Jan 21 09:04:56 UTC 2015 

On 01/20/2015 05:59 PM, Lennart Poettering wrote:

> 
> Well, /tmp is used by X11 among other for IPC across user 
> boundaries. If you give each other their private instance of it,
> they cannot use this for communication anymore. You are breaking
> X11 this way.
Did you read the attached references to the proposal?
X11 is a special case of needed a shared temp. directory between root
and a no-root process. The reference has a way to solve this problem.

afaik, non-root xorg wont need this hack anymore.

> 
> Moreover, if you want to give each user a private instance of /tmp
> you have to run that user in a private mount namespace and disable 
> propagation from that namespace into the host for the / directory
> for this. (After all the /tmp over-mounting shall be private to the
> user, and not propagate to the rest of the system.)  This of course
> means that if the user later-on invokes /bin/mount or /bin/umount
> on any subdir of / the commands have will have zero effect for the
> rest of the system. You pretty much brek mounting/umounting for
> normal users. If you do this, pretty much every admin will hate you
> deeply.
> 
> Also, introducing "/tmp-inst" sounds really wrong to me, what's
> the point of that? systemd's PrivateTmp= works by mounting /tmp
> over with a subdir of /tmp, so that things stay on the same file
> system. Why introduce a new directory?
> 
/tmp-inst is created with mode 000, as compared to /tmp. As per the
documentation pam_namespace will enforce this mode, unless explicitly
asked to bypass this.

> How do you intend for the new /tmp instance to be life-cycled? When
> is the private /tmp instance removed? On logout? Tracking a user 
> session's lifecycle is not easy, as the user might have processes 
> running that are not attached to any session, and you shouldn't
> remove the private /tmp before those processes are dead too.
> 
Private tmp instances are NOT removed. Only access to them is
restricted to process which run as the $user.

> To me this sounds very much not thought to the end.
> 

Maybe you should try doing this once and see how it scales?

> We thought a couple of times in adding an option for this to 
> systemd/logind, after all, we have the namespacing code in systemd 
> anyway, and we can at least track the sessions through logind very 
> precisely. However, X11 and the mount propagation breakage are
> real blockers to make this useful in the general case.
> 
> This idea can only fly for very special systems where the
> propagation is irrelevant. It's not compatible with admin
> workflows, at all.
> 
> Lennart
> 


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

More information about the devel mailing list