Feature #29960
Run foreman.service with systemd PrivateTmp=true
Status:
New
Priority:
High
Assignee:
-
Category:
Packaging
Target version:
-
Description
When foreman.service or foreman-proxy.service is started, it creates world-writable directory `/tmp/bundler/home`. Some users have reported that this triggers alarms in their security scans. Daemons that use `PrivateTmp=true` in their Systemd unit files create tmp directories at `/tmp/systemd-private-*-httpd.service-*/` instead with correct directory permissions.
As an example, PrivateTmp=true is the default setting for httpd shipped from RHEL-7 onwards [1].
Related issues
History
#1
Updated by Lukas Zapletal 8 months ago
Older versions of bundler actually have a security issue with incorrect permissions on that directory allowing arbitrary code execution. I have reported this and it's been fixed :-)
#2
Updated by Lukas Zapletal 8 months ago
- Triaged changed from No to Yes
- Priority changed from Normal to High
#3
Updated by Ewoud Kohl van Wijngaarden about 2 months ago
- Related to Feature #29417: Harden foreman.service using systemd features added