core: do not enforce PrivateTmp with DynamicUser if /tmp and /var/tmp are already private tmpfs #32724
Conversation
github-actions
bot
added
documentation
tests
portable
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Note We had successfully released a new major release. We are no longer in a development freeze phase. |
bluca
force-pushed
the
dynamic_user_no_private_tmp
branch
from
20c1844
to
8e1acb1
Compare
bluca
force-pushed
the
dynamic_user_no_private_tmp
branch
from
8e1acb1
to
35570fa
Compare
bluca
force-pushed
the
dynamic_user_no_private_tmp
branch
from
35570fa
to
cf0dd4e
Compare
bluca
changed the title
bluca
force-pushed
the
dynamic_user_no_private_tmp
branch
from
cf0dd4e
to
8234797
Compare
github-actions
bot
added
documentation
tests
and removed
ci-failure-appears-unrelated
labels
Not sure, but if so then it's a pre-existing issue as we don't do any enforcement in PrivateTmp=yes either, so it can be handled in a separate PR if needed: |
bluca
force-pushed
the
dynamic_user_no_private_tmp
branch
from
8234797
to
07f51a2
Compare
src/core/unit.c
Outdated
|
|
||
| if (!tmp_found || !var_tmp_found) | ||
| ec->private_tmp = true; | ||
|
|
There was a problem hiding this comment.
that said, maybe a simple fix is to not imply PrivateTmp= in case of DynamicUser=1 but instead imply TemporaryFileSystem=/tmp /var/tmp?
wouldn't that be better and simpler?
i mean, there definitely is value in keeping dynamic uids/gids local to file systems that are destroyed when the service is dead, hence changing the logic liek that would make sense to me.
There was a problem hiding this comment.
Ok I've applied this change, it's slightly backward incompatible unlike the original version but if that's what it takes
poettering
added
reviewed/needs-rework 🔨
|
or well, i generally think that things such as PrivateTmp=1 as high-level knobs are the way to go, and they should abstract what happens in the bg a bit. so i think we should just make sure it has a different effect in case DynamicUser=1 is used, i.e. make it act like TemporaryFs=/tmp + Bind=/var/tmp:/tmp |
bluca
force-pushed
the
dynamic_user_no_private_tmp
branch
from
07f51a2
to
772b5b8
Compare
github-actions
bot
added
documentation
tests
please-review
This is logically equivalent to your comment above - we do want to enforce that private tmpfses are used with DynamicUser=yes, so the PrivateTmp knob becomes essentially meaningless in that case - whether it's enabled or disabled, same result applies I am not making /tmp an alias of /var/tmp as that changes too much the existing setup, where they are different directories, we can't just change that from one version to another as it is most likely going to break things, DynamicUser is used by hundreds of units in Debian alone, plus it's the default for portables |
… are tmpfs DynamicUser= enables PrivateTmp= implicitly to avoid files owned by reusable uids leaking into the host. Configuring TemporaryFileSystem=/tmp/ /var/ also ensures this, so allow it as an alternative, since it has less impactful semantics with respect to PrivateTmp=yes, which links the mount namespace to the host's /tmp instead.
It is already implied by DynamicUser=yes if not set, but dropping it allows users to instead define TemporaryFileSystem=/tmp/ /var/tmp/ in their portable services, which has fewer side effects.
bluca
force-pushed
the
dynamic_user_no_private_tmp
branch
from
772b5b8
to
7cc35c8
Compare
DynamicUser=enablesPrivateTmp=implicitly to avoid files owned by reusable uidsleaking into the host. Configuring
TemporaryFileSystem=/tmp/ /var/also ensuresthis, so allow it as an alternative, since it has less impactful semantics with
respect to
PrivateTmp=yes, which links the mount namespace to the host's /tmp/instead.