Bug 782477 - Propose that you turn on PrivateTmp=true in service file for arpwatch
Summary: Propose that you turn on PrivateTmp=true in service file for arpwatch
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: arpwatch
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: PrivateTmp
TreeView+ depends on / blocked
 
Reported: 2012-01-17 15:18 UTC by Daniel Walsh
Modified: 2012-02-13 13:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-13 13:31:15 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Daniel Walsh 2012-01-17 15:18:58 UTC 
I would like to propose using PrivateTmp for arpwatch, to make it more secure
and avoid users from being able to potentially effect it.

http://fedoraproject.org/wiki/Features/ServicesPrivateTmp
Comment 1 Jan Synacek 2012-01-20 09:32:56 UTC 
I ran into a strange (at least for me) problem after I enabled PrivateTmp in F16. When I attempt to start arpwatch.service, it simply fails to start and changes permissions of /tmp to 1755, meaning that only processes run by root can write in there (which is certainly what I do not want).

Here is a small test:

root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp
  File: `/tmp'
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 2367492     Links: 2
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:tmp_t:s0
Access: 2012-01-20 10:21:54.774452265 +0100
Modify: 2012-01-20 10:20:51.091487205 +0100
Change: 2012-01-20 10:22:36.990429189 +0100
 Birth: -
root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl start arpwatch.service
Job failed. See system logs and 'systemctl status' for details.
root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl status arpwatch.service 
arpwatch.service - Arpwatch daemon which keeps track of ethernet/ip address pairings
	  Loaded: loaded (/lib/systemd/system/arpwatch.service; enabled)
	  Active: failed since Fri, 20 Jan 2012 10:22:49 +0100; 3s ago
	 Process: 27044 ExecStart=/usr/sbin/arpwatch $OPTIONS (code=exited, status=254)
	  CGroup: name=systemd:/system/arpwatch.service
root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp
  File: `/tmp'
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 2367495     Links: 2
Access: (1755/drwxr-xr-t)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:tmp_t:s0
Access: 2012-01-20 10:22:42.504426205 +0100
Modify: 2012-01-20 10:22:42.504426205 +0100
Change: 2012-01-20 10:22:42.504426205 +0100
 Birth: -

Am I missing something? What does exit status 254 mean?
Comment 2 Daniel Walsh 2012-01-20 21:49:09 UTC 
DONT Enable this in F16, it requires systemd-38...
Comment 3 Jan Synacek 2012-01-23 06:38:27 UTC 
Oh, didn't know that. I was just testing it locally though.
Anyway, I have enabled PrivateTmp in rawhide.
Comment 4 Jan Synacek 2012-02-13 13:31:15 UTC 
Seems to be working fine. Closing.
Note You need to log in before you can comment on or make changes to this bug.