On Wed, Jan 21, 2015 at 4:59 PM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Wed, 21.01.15 09:49, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote: > >> >> * Other developers: >> >> ** Add /tmp-inst and /var/tmp/tmp-inst to filesystem. (packagename: filesystem) >> >> ** Enable namespaces in /etc/security/namespace.conf (packagename: PAM) >> >> ** Enable proper selinux context and polyinstantiation_enabled boolean to be >> >> set (packagename: selinux-policy-targeted or selinux-policy) >> > Well, /tmp is used by X11 among other for IPC across user >> > boundaries. If you give each other their private instance of it, they >> > cannot use this for communication anymore. You are breaking X11 this >> > way. >> >> I believe X11 attempts to use the abstract namespace @/tmp/.X11-unix >> first, at least it used to. > > Which is a local DoS vulnerability, since abstract namespace sockets > may be created by anyone, and the names are guessable. X11 really > should stop doing that, it's a security hole. https://lists.fedoraproject.org/pipermail/devel/2011-January/147611.html -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
