chiark / gitweb /
~ianmdlvl / elogind.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1f048a6) | patch
Make PrivateTmp dirs also inaccessible from the outside
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 20 Mar 2013 05:38:28 +0000 (01:38 -0400)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 20 Mar 2013 18:08:41 +0000 (14:08 -0400)
commitd34cd374905a40e65769351a2808b741b5418bf1
tree5dbd6761c13de63a6d5b1c0733d82990abb46aeftree | snapshot
parent1f048a6b6bcc30d2e157711b3d231d7a944e6ffbcommit | diff
Make PrivateTmp dirs also inaccessible from the outside

Currently, PrivateTmp=yes means that the service cannot see the /tmp
shared by rest of the system and is isolated from other services using
PrivateTmp, but users can access and modify /tmp as seen by the
service.

Move the private /tmp and /var/tmp directories into a 0077-mode
directory. This way unpriviledged users on the system cannot see (or
modify) /tmp as seen by the service.
src/core/execute.c diff | blob | history
src/core/namespace.c diff | blob | history
src/shared/util.c diff | blob | history
src/shared/util.h diff | blob | history
tmpfiles.d/tmp.conf diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.