Votre compte Red Hat vous permet d'accéder à votre profil, à vos préférences et aux services suivants en fonction de votre statut client :
Vous n'êtes pas encore inscrit ? Voici quelques bonnes raisons de le faire :
- Parcourez les articles de la base de connaissances, gérez les dossiers d'assistance et les abonnements, téléchargez des mises à jour et bien plus encore, le tout depuis un espace unique.
- Affichez la liste des utilisateurs de votre organisation et modifiez les informations, les préférences et les autorisations relatives à leur compte.
- Gérez vos certifications Red Hat, consultez l'historique de vos examens et téléchargez des logos et des documents relatifs à vos certifications.
Votre compte Red Hat vous permet d'accéder à votre profil, à vos préférences et à d'autres services en fonction de votre statut client.
Si vous utilisez un ordinateur public, déconnectez-vous de votre compte lorsque vous n'utilisez plus les services Red Hat afin de garantir votre sécurité.Déconnexion
This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
One of the reasons I am really excited about Red Hat Enterprise Linux 7 is the amount of new security features we have added, and not all of them involve SELinux.
Today, I want to talk about PrivateTmp.
One of my goals over the years has been to stop system services from using
/tmp. I blogged about this back in 2007.
Anytime I have discovered a daemon using
/tmp, I have tried to convince the packager to move the temporary content and FIFO files to the
/run directory. If the content was permanent, then it should be in
/var/lib. All users on your system are able to write to
/tmp, so if an application creates content in
/tmp that is guessable (i.e., has a well-known name), a user could create a link file with that name in
/tmp and fool the privileged app to unlink or overwrite the destination of the link. Not only would you have to worry about users doing this, but you would also have to worry about any application that the user runs and any service that you have running on your system. They are all allowed to write to
/tmp based on permissions.
Over the years, there have been several vulnerabilities (CVEs) about this. For example, CVE-2011-2722 covered a case where
hplib actually included code like this:
fp = fopen ("/tmp/hpcupsfax.out", "w"); // <- VULN system ("chmod 666 /tmp/hpcupsfax.out"); // <- "
This means that if you set up a machine running the
cups daemon, a malicious user or an application that a user ran could attack your system.
I have convinced a lot of packages to stop using
/tmp, but I can't get them all. And in some cases, services like Apache need to use
/tmp. Apache runs lots of other packages that might store content in
systemd has added a lot of new security features (more on these later).
PrivateTmp, which showed up in Fedora 16, is an option in
systemd unit configuration files.
> man system.unit ... A unit configuration file encodes information about a service, a socket, a device, a mount point, an automount point, a swap file or partition, a start-up target, a file system path or a timer controlled and supervised by systemd(1). > man systemd.exec NAME systemd.exec - systemd execution environment configuration SYNOPSIS systemd.service, systemd.socket, systemd.mount, systemd.swap DESCRIPTION Unit configuration files for services, sockets, mount points and swap devices share a subset of configuration options which define the execution environment of spawned processes. ... PrivateTmp= Takes a boolean argument. If true sets up a new file system namespace for the executed processes and mounts a private /tmp directory inside it, that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp impossible. Defaults to false.
systemd to do the following anytime it starts a service with this option turned on:
Allocate a private "tmp" directory Create a new file system namespace Bind mount this private "tmp" directory within the namespace over /tmp Start the service.
This means that processes running with this flag would see a different and unique
/tmp from the one users and other daemons sees or can access.
NOTE: We have found bugs using PrivateTmp in Fedora 16, so make sure you test this well before turning it on in production.
For Fedora 17, I opened a feature page that requested all daemons that were using systemd unit files and /tmp to turn this feature on by default.
Several daemons, including Apache and
cups, now have PrivateTmp turned on by default in Red Hat Enterprise Linux 7.
Given the three options as a developer of system service, I still believe that you should not use
/tmp. You should instead use
/var/lib. But if you have to use
/tmp and do not communicate with other users, then use PrivateTmp. If you need to communicate with users, be careful.