Feature #29960
closed
Run foreman.service with systemd PrivateTmp=true
Added by Anurag Patel over 4 years ago.
Updated almost 4 years ago.
Description
When foreman.service or foreman-proxy.service is started, it creates world-writable directory `/tmp/bundler/home`. Some users have reported that this triggers alarms in their security scans. Daemons that use `PrivateTmp=true` in their Systemd unit files create tmp directories at `/tmp/systemd-private-*-httpd.service-*/` instead with correct directory permissions.
As an example, PrivateTmp=true is the default setting for httpd shipped from RHEL-7 onwards [1].
[1] https://access.redhat.com/blogs/766093/posts/1976243
Related issues
1 (1 open — 0 closed)
Older versions of bundler actually have a security issue with incorrect permissions on that directory allowing arbitrary code execution. I have reported this and it's been fixed :-)
- Priority changed from Normal to High
- Triaged changed from No to Yes
- Related to Feature #29417: Harden foreman.service using systemd features added
- Status changed from New to Ready For Testing
- Assignee set to Evgeni Golov
- Pull request https://github.com/theforeman/foreman/pull/8345 added
- Fixed in Releases 2.5.0 added
- Status changed from Ready For Testing to Closed
- Pull request https://github.com/theforeman/foreman/pull/8351 added
- Target version set to 2.4.0
- Pull request https://github.com/theforeman/foreman/pull/8356 added
- Fixed in Releases 2.4.0 added
- Fixed in Releases deleted (
2.5.0)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by