Bug 752540 - PrivateTmp does not work.
Summary: PrivateTmp does not work.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-09 19:40 UTC by Daniel Walsh
Modified: 2012-01-30 20:59 UTC (History)
6 users (show)

Fixed In Version: systemd-37-11.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-30 20:59:09 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
This is the program sandbox uses to mount private /tmp directories. (24.90 KB, text/plain)
2011-11-09 20:46 UTC, Daniel Walsh
no flags Details
After talking with Al Viro this is the patch I believe you should need (575 bytes, patch)
2012-01-03 19:15 UTC, Daniel Walsh
no flags Details | Diff

Description Daniel Walsh 2011-11-09 19:40:32 UTC
It seems like starting of the service effects the current namespace.

I setup httpd to run with a private tmp.

# cat /etc/systemd/system/httpd.service 
.include /lib/systemd/system/httpd.service 
[Service]
PrivateTmp=true

# systemctl start httpd.service
Failed to get D-Bus connection: Failed to connect to socket /run/systemd/private: No such file or directory

What I notice is the /run/systemd directory has disappeared.  If I was a betting man, it got eliminated from my namespace.

I have to reboot to get /run/systemd back.

Comment 1 Daniel Walsh 2011-11-09 20:46:55 UTC
Created attachment 532670 [details]
This is the program sandbox uses to mount private /tmp directories.

When you unshare, you have to first 

mount -o bind /tmp /tmp
Then set the /tmp as private

mount --make-private /tmp

Then you can mount your /tmp over the /tmp directory.

mount -o bind /tmp/systemd-private... /tmp

Also you need to make sure you set all of the flags correctly.
 MS_NODEV | MS_NOSUID | MS_NOEXEC;

Also you want to maintain the sticky bit and protections.

	if (fchmod(fd_t, 01770) == -1) {
		fprintf(stderr, _("Unable to change mode on %s: %s\n"), tmpdir, strerror(errno));
		goto err;
	}

Comment 2 Daniel Walsh 2012-01-03 19:15:10 UTC
Created attachment 550512 [details]
After talking with Al Viro this is the patch I believe you should need

Basically executing


        if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
                r = -errno;
                goto fail;
        }

Says that nothing in your new namespace will propagate out to the parent namespace.

Comment 3 Daniel Walsh 2012-01-03 19:52:48 UTC
Applying this patch causes apache with a private tmp to work without effecting the parent namespace.

/run/systemd is still present.  When I look at /proc/PIDOFHTTP/mountinfo

I see

# grep /tmp /proc/2826/mountinfo 
105 79 0:33 / /tmp rw,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel
109 105 0:33 /systemd-namespace-jXSgbB/private /tmp rw,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel

If I look at my mountinfo I see


 grep /tmp /proc/self/mountinfo 
42 22 0:33 / /tmp rw,relatime - tmpfs tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel

Comment 4 Lennart Poettering 2012-01-03 20:54:26 UTC
Fixed in systemd git.

Comment 5 Fedora Update System 2012-01-11 15:02:11 UTC
systemd-37-6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/systemd-37-6.fc16

Comment 6 Fedora Update System 2012-01-11 20:57:49 UTC
Package systemd-37-6.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-37-6.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-6.fc16
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-01-16 02:25:23 UTC
Package systemd-37-7.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-37-7.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-7.fc16
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-01-17 20:23:16 UTC
Package systemd-37-8.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-37-8.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-8.fc16
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2012-01-22 22:54:37 UTC
Package systemd-37-10.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-37-10.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-10.fc16
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2012-01-26 22:58:24 UTC
Package systemd-37-11.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing systemd-37-11.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0409/systemd-37-11.fc16
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2012-01-30 20:59:09 UTC
systemd-37-11.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.