Project

General

Profile

Feature #29960

Run foreman.service with systemd PrivateTmp=true

Added by Anurag Patel 8 months ago. Updated 8 months ago.

Status:
New
Priority:
High
Assignee:
-
Category:
Packaging
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
1732038
Pull request:
Fixed in Releases:
Found in Releases:

Description

When foreman.service or foreman-proxy.service is started, it creates world-writable directory `/tmp/bundler/home`. Some users have reported that this triggers alarms in their security scans. Daemons that use `PrivateTmp=true` in their Systemd unit files create tmp directories at `/tmp/systemd-private-*-httpd.service-*/` instead with correct directory permissions.

As an example, PrivateTmp=true is the default setting for httpd shipped from RHEL-7 onwards [1].

[1] https://access.redhat.com/blogs/766093/posts/1976243

Related issues

Related to Foreman - Feature #29417: Harden foreman.service using systemd featuresNew

History

#1 Updated by Lukas Zapletal 8 months ago

Older versions of bundler actually have a security issue with incorrect permissions on that directory allowing arbitrary code execution. I have reported this and it's been fixed :-)

#2 Updated by Lukas Zapletal 8 months ago

  • Triaged changed from No to Yes
  • Priority changed from Normal to High

#3 Updated by Ewoud Kohl van Wijngaarden about 2 months ago

  • Related to Feature #29417: Harden foreman.service using systemd features added

Also available in: Atom PDF