Bug 782477 - Propose that you turn on PrivateTmp=true in service file for arpwatch
Propose that you turn on PrivateTmp=true in service file for arpwatch
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: arpwatch (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Synacek
Fedora Extras Quality Assurance
:
Depends On:
Blocks: PrivateTmp
  Show dependency treegraph
 
Reported: 2012-01-17 10:18 EST by Daniel Walsh
Modified: 2012-02-13 08:31 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-13 08:31:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2012-01-17 10:18:58 EST
I would like to propose using PrivateTmp for arpwatch, to make it more secure
and avoid users from being able to potentially effect it.

http://fedoraproject.org/wiki/Features/ServicesPrivateTmp
Comment 1 Jan Synacek 2012-01-20 04:32:56 EST
I ran into a strange (at least for me) problem after I enabled PrivateTmp in F16. When I attempt to start arpwatch.service, it simply fails to start and changes permissions of /tmp to 1755, meaning that only processes run by root can write in there (which is certainly what I do not want).

Here is a small test:

root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp
  File: `/tmp'
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 2367492     Links: 2
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:tmp_t:s0
Access: 2012-01-20 10:21:54.774452265 +0100
Modify: 2012-01-20 10:20:51.091487205 +0100
Change: 2012-01-20 10:22:36.990429189 +0100
 Birth: -
root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl start arpwatch.service
Job failed. See system logs and 'systemctl status' for details.
root@dhcp-25-72 /home/jsynacek/work/openldap$ systemctl status arpwatch.service 
arpwatch.service - Arpwatch daemon which keeps track of ethernet/ip address pairings
	  Loaded: loaded (/lib/systemd/system/arpwatch.service; enabled)
	  Active: failed since Fri, 20 Jan 2012 10:22:49 +0100; 3s ago
	 Process: 27044 ExecStart=/usr/sbin/arpwatch $OPTIONS (code=exited, status=254)
	  CGroup: name=systemd:/system/arpwatch.service
root@dhcp-25-72 /home/jsynacek/work/openldap$ stat /tmp
  File: `/tmp'
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 2367495     Links: 2
Access: (1755/drwxr-xr-t)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:tmp_t:s0
Access: 2012-01-20 10:22:42.504426205 +0100
Modify: 2012-01-20 10:22:42.504426205 +0100
Change: 2012-01-20 10:22:42.504426205 +0100
 Birth: -

Am I missing something? What does exit status 254 mean?
Comment 2 Daniel Walsh 2012-01-20 16:49:09 EST
DONT Enable this in F16, it requires systemd-38...
Comment 3 Jan Synacek 2012-01-23 01:38:27 EST
Oh, didn't know that. I was just testing it locally though.
Anyway, I have enabled PrivateTmp in rawhide.
Comment 4 Jan Synacek 2012-02-13 08:31:15 EST
Seems to be working fine. Closing.

Note You need to log in before you can comment on or make changes to this bug.