Bug 782477

Summary: Propose that you turn on PrivateTmp=true in service file for arpwatch
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: arpwatchAssignee: Jan Synacek <jsynacek>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jsynacek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-13 13:31:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 782466    

Description Daniel Walsh 2012-01-17 15:18:58 UTC 
I would like to propose using PrivateTmp for arpwatch, to make it more secure
and avoid users from being able to potentially effect it.

http://fedoraproject.org/wiki/Features/ServicesPrivateTmp
Comment 1 Jan Synacek 2012-01-20 09:32:56 UTC 
I ran into a strange (at least for me) problem after I enabled PrivateTmp in F16. When I attempt to start arpwatch.service, it simply fails to start and changes permissions of /tmp to 1755, meaning that only processes run by root can write in there (which is certainly what I do not want).

Here is a small test:

root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp
  File: `/tmp'
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 2367492     Links: 2
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:tmp_t:s0
Access: 2012-01-20 10:21:54.774452265 +0100
Modify: 2012-01-20 10:20:51.091487205 +0100
Change: 2012-01-20 10:22:36.990429189 +0100
 Birth: -
root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl start arpwatch.service
Job failed. See system logs and 'systemctl status' for details.
root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl status arpwatch.service 
arpwatch.service - Arpwatch daemon which keeps track of ethernet/ip address pairings
	  Loaded: loaded (/lib/systemd/system/arpwatch.service; enabled)
	  Active: failed since Fri, 20 Jan 2012 10:22:49 +0100; 3s ago
	 Process: 27044 ExecStart=/usr/sbin/arpwatch $OPTIONS (code=exited, status=254)
	  CGroup: name=systemd:/system/arpwatch.service
root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp
  File: `/tmp'
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 2367495     Links: 2
Access: (1755/drwxr-xr-t)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:tmp_t:s0
Access: 2012-01-20 10:22:42.504426205 +0100
Modify: 2012-01-20 10:22:42.504426205 +0100
Change: 2012-01-20 10:22:42.504426205 +0100
 Birth: -

Am I missing something? What does exit status 254 mean?
Comment 2 Daniel Walsh 2012-01-20 21:49:09 UTC 
DONT Enable this in F16, it requires systemd-38...
Comment 3 Jan Synacek 2012-01-23 06:38:27 UTC 
Oh, didn't know that. I was just testing it locally though.
Anyway, I have enabled PrivateTmp in rawhide.
Comment 4 Jan Synacek 2012-02-13 13:31:15 UTC 
Seems to be working fine. Closing.