From Fedora Project Wiki
(Change rejected on 2015-01-28 FESCo meeting)
 
(7 intermediate revisions by 2 users not shown)
Line 13: Line 13:
  
 
== Detailed Description ==
 
== Detailed Description ==
The basic idea is to provide better security to Fedora installs. Though Polyinstantiated /tmp has worked since Fedora 19, its not a single step process to configure it. Secondly people dont really understand its benifits. Because of this having it on by default makes more sense. It is completely transparent to the user, they wont even realize that it has been enabled.
+
The basic idea is to provide better security to Fedora installs. Though Polyinstantiated /tmp has worked since Fedora 19, its not a single step process to configure it. Secondly people don't really understand its benefits. Because of this having it on by default makes more sense. It is completely transparent to the user, they wont even realize that it has been enabled.
  
More references at:
+
The Red Hat Product Security Team assigns CWE ids to severe flaws (CVSSv2 > 7).  Here is a [https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&bug_status=CLOSED&classification=Other&f1=status_whiteboard&list_id=2810982&o1=anywords&product=Security%20Response&query_format=advanced&v1=CWE-377 list of severe flaws caused by insecure tmp files ]
https://www.ibm.com/developerworks/library/l-polyinstantiation/
 
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Line 29: Line 28:
 
** Enable namespaces in /etc/security/namespace.conf (packagename: PAM)
 
** Enable namespaces in /etc/security/namespace.conf (packagename: PAM)
 
** Enable proper selinux context and polyinstantiation_enabled boolean to be set (packagename: selinux-policy-targeted or selinux-policy)
 
** Enable proper selinux context and polyinstantiation_enabled boolean to be set (packagename: selinux-policy-targeted or selinux-policy)
 +
 +
* Release engineering: N/A
 +
* Policies and guidelines: N/A
  
 
== Upgrade/compatibility impact ==
 
== Upgrade/compatibility impact ==
Line 44: Line 46:
 
== Contingency Plan ==
 
== Contingency Plan ==
  
* Contingency mechanism: Roll back to non poly tmp, if something critical does not work
+
* Contingency mechanism: Poly tmp can be rolled back quite easily, by using the previous versions of packages which provides the old directory structures and old versions of the configuration files (poly tmp is just configuration and a few new directories). In releases earlier gnome-shell had issues with poly tmp, which now seems to be resolved. In any case, by Beta deadline if any blockers exists, we can easily remove this feature, by tagging previous versions of the affected packages, before the final spin.
* Contingency deadline: N/A
+
* Contingency deadline: Beta freeze
 
* Blocks release? No
 
* Blocks release? No
  
Line 51: Line 53:
 
* https://www.ibm.com/developerworks/library/l-polyinstantiation/
 
* https://www.ibm.com/developerworks/library/l-polyinstantiation/
 
* http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
 
* http://www.coker.com.au/selinux/talks/sage-2006/PolyInstantiatedDirectories.html
 
+
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/polyinstantiated-directories.html
 
 
  
 
== Release Notes ==
 
== Release Notes ==
  
[[Category:ChangeReadyForWrangler]]
+
[[Category:ChangePageIncomplete]]
 
[[Category:SystemWideChange]]
 
[[Category:SystemWideChange]]

Latest revision as of 15:32, 29 January 2015

Enable Polyinstantiated /tmp and /var/tmp directories by default

Summary

Polyinstantiation of temperary directories is a pro-active security measure, which reduced chances of attacks caused due to the /tmp and /var/tmp directories being world-writable. These include flaws caused by predictive temp. file names, race conditions due to symbolic links etc.

Owner

Current status

Detailed Description

The basic idea is to provide better security to Fedora installs. Though Polyinstantiated /tmp has worked since Fedora 19, its not a single step process to configure it. Secondly people don't really understand its benefits. Because of this having it on by default makes more sense. It is completely transparent to the user, they wont even realize that it has been enabled.

The Red Hat Product Security Team assigns CWE ids to severe flaws (CVSSv2 > 7). Here is a list of severe flaws caused by insecure tmp files

Benefit to Fedora

As mentioned earlier main benefit is to provide more security to the underlying platform with minimum changes.

Scope

  • Proposal owners:

No work required to be done by proposal owner.

  • Other developers:
    • Add /tmp-inst and /var/tmp/tmp-inst to filesystem. (packagename: filesystem)
    • Enable namespaces in /etc/security/namespace.conf (packagename: PAM)
    • Enable proper selinux context and polyinstantiation_enabled boolean to be set (packagename: selinux-policy-targeted or selinux-policy)
  • Release engineering: N/A
  • Policies and guidelines: N/A

Upgrade/compatibility impact

Everything should continue to work as normal after upgrade.

How To Test

  • No special hardware is required.
  • Install Fedora 22, with the changes incorporated in the above mentioned packages, create a non-root user, check if everything works as normal.
  • Create another user, login as the second user, create some files in /tmp and see if the first user is able to see it.
  • Repeat the above step for /var/tmp

User Experience

No change is user experience, its is completely transparent to the user.

Contingency Plan

  • Contingency mechanism: Poly tmp can be rolled back quite easily, by using the previous versions of packages which provides the old directory structures and old versions of the configuration files (poly tmp is just configuration and a few new directories). In releases earlier gnome-shell had issues with poly tmp, which now seems to be resolved. In any case, by Beta deadline if any blockers exists, we can easily remove this feature, by tagging previous versions of the affected packages, before the final spin.
  • Contingency deadline: Beta freeze
  • Blocks release? No

Documentation

Release Notes