On Tue, Apr 10, 2018 at 08:45:23PM -0500, Eric Sandeen wrote: > > > On 3/20/18 10:40 PM, Darrick J. Wong wrote: > > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > > > Don't make /tmp private when invoking xfs_scrub as a service, because > > /tmp might contain or itself be an xfs filesystem mountpoint. > > Could you please add a comment to this so that future security analysts > don't change it back? :) # Disable private /tmp just in case %i is a path under /tmp. --D > # xfs_scrub doesn't even use /tmp but <this is why we do this here> > > > > > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > --- > > scrub/xfs_scrub@xxxxxxxxxxx | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/scrub/xfs_scrub@xxxxxxxxxxx b/scrub/xfs_scrub@xxxxxxxxxxx > > index c14f813..9e6206a 100644 > > --- a/scrub/xfs_scrub@xxxxxxxxxxx > > +++ b/scrub/xfs_scrub@xxxxxxxxxxx > > @@ -9,7 +9,7 @@ WorkingDirectory=%I > > PrivateNetwork=true > > ProtectSystem=full > > ProtectHome=read-only > > -PrivateTmp=yes > > +PrivateTmp=no > > AmbientCapabilities=CAP_SYS_ADMIN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SYS_RAWIO > > NoNewPrivileges=yes > > User=nobody > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
