Project

General

Profile

Actions

Feature #29960

closed

Run foreman.service with systemd PrivateTmp=true

Added by Anurag Patel almost 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Packaging
Target version:
Fixed in Releases:
Found in Releases:

Description

When foreman.service or foreman-proxy.service is started, it creates world-writable directory `/tmp/bundler/home`. Some users have reported that this triggers alarms in their security scans. Daemons that use `PrivateTmp=true` in their Systemd unit files create tmp directories at `/tmp/systemd-private-*-httpd.service-*/` instead with correct directory permissions.

As an example, PrivateTmp=true is the default setting for httpd shipped from RHEL-7 onwards [1].

[1] https://access.redhat.com/blogs/766093/posts/1976243


Related issues 1 (1 open0 closed)

Related to Foreman - Feature #29417: Harden foreman.service using systemd featuresNewActions
Actions

Also available in: Atom PDF