Actions
Feature #29960
closed
Run foreman.service with systemd PrivateTmp=true
Difficulty:
Triaged:
Yes
Bugzilla link:
Description
When foreman.service or foreman-proxy.service is started, it creates world-writable directory `/tmp/bundler/home`. Some users have reported that this triggers alarms in their security scans. Daemons that use `PrivateTmp=true` in their Systemd unit files create tmp directories at `/tmp/systemd-private-*-httpd.service-*/` instead with correct directory permissions.
As an example, PrivateTmp=true is the default setting for httpd shipped from RHEL-7 onwards [1].
Updated by Lukas Zapletal almost 4 years ago
Older versions of bundler actually have a security issue with incorrect permissions on that directory allowing arbitrary code execution. I have reported this and it's been fixed :-)
Updated by Lukas Zapletal almost 4 years ago
- Priority changed from Normal to High
- Triaged changed from No to Yes
Updated by Ewoud Kohl van Wijngaarden over 3 years ago
- Related to Feature #29417: Harden foreman.service using systemd features added
Updated by The Foreman Bot about 3 years ago
- Status changed from New to Ready For Testing
- Assignee set to Evgeni Golov
- Pull request https://github.com/theforeman/foreman/pull/8345 added
Updated by Evgeni Golov about 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|d56290ba0e4133244f802de5a876af8b3b184df2.
Updated by The Foreman Bot about 3 years ago
- Pull request https://github.com/theforeman/foreman/pull/8351 added
Updated by
Updated by The Foreman Bot about 3 years ago
- Pull request https://github.com/theforeman/foreman/pull/8356 added
Updated by Ewoud Kohl van Wijngaarden about 3 years ago
- Fixed in Releases 2.4.0 added
- Fixed in Releases deleted (
2.5.0)
Actions