[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: enhance security via private TMP/TMPDIR by default

walters redhat com (Colin Walters) writes:

> There's actually been some work going on on giving each user their
> own /tmp namespace via the kernel's CLONE_NEWNS capability and a PAM
> module, AIUI.  To the system administrator this could appear as
> /tmp/<username>.  I think the problem is in getting later mounts to
> actually appear in the cloned namespace.

This CLONE_NEWNS and (related) 'mount --bind' operations are not very
well supported by the kernel:

* there does not exist a way to enter an already existing namespace; so,
  e.g. two different ssh sessions would have different /tmp directories

* namespaces are causing problems with automounters

* 'mount --bind' does not accept/honor options like 'noatime' or 'noexec'
  (which could be usefully e.g. to mount $HOME/tmp as /tmp). Patches are
  existing but responsible kernel maintainer refuses to apply them :(

* CLONE_NEWNS + 'mount --bind' are not very well documented and it is
  often unclear whether strange behavior is expected or not. E.g. it may
  happen that '/' and '/..' are pointing to different inodes; dunno if
  this is wanted or not.


Attachment: pgpqFtb8uSbN6.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]