Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Propose that you turn on PrivateTmp=true in service file for varnishd|
|Product:||[Fedora] Fedora||Reporter:||Daniel Walsh <dwalsh>|
|Component:||varnish||Assignee:||Ingvar Hagelund <ingvar>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||varnish-3.0.2-2.fc17||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-03-17 20:48:19 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Daniel Walsh 2012-01-17 11:03:26 EST
I would like to propose using PrivateTmp for varnishd systemd unit file This should make the use of /tmp directory more secure and avoid users from being able to potentially effect it. http://fedoraproject.org/wiki/Features/ServicesPrivateTmp
Comment 1 Daniel Walsh 2012-02-06 15:45:59 EST
Any change on this bug. We are coming up to Feature Freeze, and would like some comment on this bug. If you do not believe this application uses /tmp than please comment on this and close the bug. If you believe this application needs to use /tmp to communicate with other applications or users then you can close this bug with that comment. If your app does not use systemd, then close this bug with that comment. If you have no idea, then please add a comment, and change the bug to assigned. I need to update the status on this feature. Thanks for your help.
Comment 2 Ingvar Hagelund 2012-03-12 05:51:45 EDT
In its fedora package, varnish should not use /tmp, but it may be configured to do so. It does not need to share any data with its surroundings, so a private /tmp should be safe. I'll look into this. Ingvar
Comment 3 Ingvar Hagelund 2012-03-12 07:48:57 EDT
Just adding PrivateTmp=true works with no changes to the config. If I change the config to use /tmp instead of /var/lib/varnish, a new private tmp catalog is created in /tmp/systemd-namespace-[some_uniq_tmpdir] every time varnish is restarted. This seems by design, but I need some way to clear up. varnish may reserve several GB to its file backing store, so after a few restarts, a lot of space on /tmp may be filled up.
Comment 4 Ingvar Hagelund 2012-03-12 08:18:26 EDT
With a bit afterthought: If the user changes this kind of config, he probably knows very well what he is doing and why, so keeping the default to /var/lib/varnish, and adding PrivateTmp=true should be safe. The only other file stored in /tmp is an anonymous file handle used some time during startup. It is automatically cleared away and works without problems with PrivateTmp=true.
Comment 5 Fedora Update System 2012-03-13 03:18:30 EDT
varnish-3.0.2-2.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/varnish-3.0.2-2.fc17
Comment 6 Fedora Update System 2012-03-13 13:10:06 EDT
Package varnish-3.0.2-2.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing varnish-3.0.2-2.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-3672/varnish-3.0.2-2.fc17 then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-03-17 20:48:19 EDT
varnish-3.0.2-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.