On 3/20/18 10:40 PM, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > Don't make /tmp private when invoking xfs_scrub as a service, because > /tmp might contain or itself be an xfs filesystem mountpoint. Could you please add a comment to this so that future security analysts don't change it back? :) # xfs_scrub doesn't even use /tmp but <this is why we do this here> > > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > --- > scrub/xfs_scrub@xxxxxxxxxxx | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > > diff --git a/scrub/xfs_scrub@xxxxxxxxxxx b/scrub/xfs_scrub@xxxxxxxxxxx > index c14f813..9e6206a 100644 > --- a/scrub/xfs_scrub@xxxxxxxxxxx > +++ b/scrub/xfs_scrub@xxxxxxxxxxx > @@ -9,7 +9,7 @@ WorkingDirectory=%I > PrivateNetwork=true > ProtectSystem=full > ProtectHome=read-only > -PrivateTmp=yes > +PrivateTmp=no > AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO > NoNewPrivileges=yes > User=nobody > > -- > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
