poly instantiated tmpdirs
July 13, 2007
fedorapeople.org is coming together and we’re readying for a launch $soon.
Today I got to play with poly instantiated tmpdirs. On the advice of Jeremy I talked to Dan Walsh b/c he is the knower of many security-related things. He told me to look at the pam_namespace docs . That brought me to a fairly obvious textfile.
Users live in /home/fedora which is a bindmount of /srv/home (for quota reasons, etc)
I setup pam_namespace.so in my pam.d/system-auth file like so:
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_namespace.so
Then I edited my /etc/security/namespace.conf file to read:
/tmp /srv/polyinst/tmp/ user root,adm,apache,puppet,nagios,rpm /var/tmp /srv/polyinst/vartmp/ user root,adm,apache,puppet,nagios,rpm
Next I made the dirs: mkdir -p /srv/polyinst/tmp /srv/polyinst/vartmp
and as the docs said: chmod 000 /srv/polyinst/*
now I rebooted for good measure and logged in.
If I log in as root I see /tmp in /tmp where it lives
If I log in as me I see /tmp with nothing but my ssh tmpfiles in it. I make a few dirs in there to be sure.
Then I logout as me, log back in as me – the files are still there – that’s pretty good.
Then I logout as me, get someone else to log in as not-root and hunt for my dir. No joy.
So, this is all good. But it gets better. Since I put tmpdirs on the same logical device as the homedirs are on then that means I get quota’d tmpdirs for free. The quota I set on /srv (where /home is) applies to /srv/polyinst/*, too. So, we’re safe on quotas.
Users can still get to each other’s homedirs if they are so unprotected but tmpdirs don’t cause unlimited pain.
Now all I need is to get a nice tmpreaper job to traverse those paths and clean them up every now and then.
Thanks to Jeremy and Dan for the pointers. And thanks to planet fedora for first introducing me to the idea of polyinstantiated dirs.