On Tue, 8 Nov 2011 12:55:31 +0100 Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Mon, 07.11.11 21:53, Gregory Maxwell (gmaxwell@xxxxxxxxx) wrote: > > > On Mon, Nov 7, 2011 at 8:48 PM, Lennart Poettering > > <mzerqung@xxxxxxxxxxx> wrote: > > > If run on the main namespace all they see is that the files are > > > in some randomized subdir of /tmp, instead of /tmp itself. > > > > Is the randomization required? If they were named after the > > user/service that created them (perhaps with some randomization too > > e.g. /tmp/mount.fooservice.$random would be much more discoverable > > and maintainable then /tmp/$random. Systemctl show is good and > > needed for automation, but my brain stores more sysadmin trivial > > than I like already. > > Well, that way attackers might still be able fool the admin: i.e. he > could create a directory with a service name and some randomized > suffix and the admin might blindly believe that this directory > belongs to the service, even if it doesn't, but belongs to the evil > attacker. Using a fully randomized name is a bit more secure here, > since the admin always needs to check the service first for the > actual directory. But isn't the point of having namespaced /tmp that no network-facing service is even able to create a directory in the main namespace? In other words, if the attacker is able to create a directory in the main namespace, you've already lost? --Stijn -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
