I would like to propose using PrivateTmp for arpwatch, to make it more secure and avoid users from being able to potentially effect it. http://fedoraproject.org/wiki/Features/ServicesPrivateTmp
I ran into a strange (at least for me) problem after I enabled PrivateTmp in F16. When I attempt to start arpwatch.service, it simply fails to start and changes permissions of /tmp to 1755, meaning that only processes run by root can write in there (which is certainly what I do not want). Here is a small test: root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp File: `/tmp' Size: 4096 Blocks: 8 IO Block: 4096 directory Device: fd01h/64769d Inode: 2367492 Links: 2 Access: (1777/drwxrwxrwt) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:tmp_t:s0 Access: 2012-01-20 10:21:54.774452265 +0100 Modify: 2012-01-20 10:20:51.091487205 +0100 Change: 2012-01-20 10:22:36.990429189 +0100 Birth: - root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl start arpwatch.service Job failed. See system logs and 'systemctl status' for details. root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl status arpwatch.service arpwatch.service - Arpwatch daemon which keeps track of ethernet/ip address pairings Loaded: loaded (/lib/systemd/system/arpwatch.service; enabled) Active: failed since Fri, 20 Jan 2012 10:22:49 +0100; 3s ago Process: 27044 ExecStart=/usr/sbin/arpwatch $OPTIONS (code=exited, status=254) CGroup: name=systemd:/system/arpwatch.service root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp File: `/tmp' Size: 4096 Blocks: 8 IO Block: 4096 directory Device: fd01h/64769d Inode: 2367495 Links: 2 Access: (1755/drwxr-xr-t) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:tmp_t:s0 Access: 2012-01-20 10:22:42.504426205 +0100 Modify: 2012-01-20 10:22:42.504426205 +0100 Change: 2012-01-20 10:22:42.504426205 +0100 Birth: - Am I missing something? What does exit status 254 mean?
DONT Enable this in F16, it requires systemd-38...
Oh, didn't know that. I was just testing it locally though. Anyway, I have enabled PrivateTmp in rawhide.
Seems to be working fine. Closing.