Project

General

Profile

Feature #29960

Run foreman.service with systemd PrivateTmp=true

Added by Anurag Patel about 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
High
Assignee:
Evgeni Golov
Category:
Packaging
Target version:
2.4.0
Difficulty:
Triaged:
Yes
Bugzilla link:
1732038
Pull request:
https://github.com/theforeman/foreman/pull/8345, https://github.com/theforeman/foreman/pull/8356, https://github.com/theforeman/foreman/pull/8351
Fixed in Releases:
2.4.0
Found in Releases:

Description

When foreman.service or foreman-proxy.service is started, it creates world-writable directory `/tmp/bundler/home`. Some users have reported that this triggers alarms in their security scans. Daemons that use `PrivateTmp=true` in their Systemd unit files create tmp directories at `/tmp/systemd-private-*-httpd.service-*/` instead with correct directory permissions.

As an example, PrivateTmp=true is the default setting for httpd shipped from RHEL-7 onwards [1].

[1] https://access.redhat.com/blogs/766093/posts/1976243

Related issues

Related to Foreman - Feature #29417: Harden foreman.service using systemd featuresNew

Associated revisions

Revision d56290ba (diff)
Added by Evgeni Golov over 1 year ago

Fixes #29960 - set PrivateTmp=true in foreman.service

Revision b260c03d (diff)
Added by Evgeni Golov over 1 year ago

Refs #29960 - also set PrivateTmp=true for dynflow-sidekiq

History

#1 Updated by Lukas Zapletal about 2 years ago

Older versions of bundler actually have a security issue with incorrect permissions on that directory allowing arbitrary code execution. I have reported this and it's been fixed :-)

#2 Updated by Lukas Zapletal about 2 years ago

  • Triaged changed from No to Yes
  • Priority changed from Normal to High

#3 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Related to Feature #29417: Harden foreman.service using systemd features added

#4 Updated by The Foreman Bot over 1 year ago

  • Assignee set to Evgeni Golov
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/8345 added

#5 Updated by The Foreman Bot over 1 year ago

  • Fixed in Releases 2.5.0 added

#6 Updated by Evgeni Golov over 1 year ago

  • Status changed from Ready For Testing to Closed

#7 Updated by The Foreman Bot over 1 year ago

  • Pull request https://github.com/theforeman/foreman/pull/8351 added

#8 Updated by Ondřej Ezr over 1 year ago

  • Target version set to 2.4.0

#9 Updated by The Foreman Bot over 1 year ago

  • Pull request https://github.com/theforeman/foreman/pull/8356 added

#10 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Fixed in Releases 2.4.0 added
  • Fixed in Releases deleted (2.5.0)

Also available in: Atom PDF