enhance security via private TMP/TMPDIR by default
Colin Walters
walters at redhat.com
Wed May 18 22:39:20 UTC 2005
On Wed, 2005-05-18 at 20:15 +0200, Enrico Scholz wrote:
> This CLONE_NEWNS and (related) 'mount --bind' operations are not very
> well supported by the kernel:
>
> * there does not exist a way to enter an already existing namespace; so,
> e.g. two different ssh sessions would have different /tmp directories
Right, but that shouldn't be a problem since you can share data via your
home directory or a specially-designated scratch area, etc.
> * namespaces are causing problems with automounters
Sounds like a regular bug; I don't think automounters would come into
play for /tmp anyways?
> * 'mount --bind' does not accept/honor options like 'noatime' or 'noexec'
> (which could be usefully e.g. to mount $HOME/tmp as /tmp). Patches are
> existing but responsible kernel maintainer refuses to apply them :(
noexec's always been virtually useless. noatime is useful, but not so
much that it would be a showstopper for CLONE_NEWNS, in my opinion.
> * CLONE_NEWNS + 'mount --bind' are not very well documented and it is
> often unclear whether strange behavior is expected or not. E.g. it may
> happen that '/' and '/..' are pointing to different inodes; dunno if
> this is wanted or not.
Hm, so it might confuse tools? I'd imagine most tools out there recurse
downwards into a path and so won't hit that issue, but it is something
to watch out for.
More information about the fedora-devel-list
mailing list