Red Hat Bugzilla – Bug 782539
Propose that you turn on PrivateTmp=true in service file for varnishd
Last modified: 2012-03-17 20:48:19 EDT
I would like to propose using PrivateTmp for varnishd systemd unit file
This should make the use of /tmp directory more secure
and avoid users from being able to potentially effect it.
Any change on this bug. We are coming up to Feature Freeze, and would like some comment on this bug.
If you do not believe this application uses /tmp than please comment on this and close the bug.
If you believe this application needs to use /tmp to communicate with other applications or users then you can close this bug with that comment.
If your app does not use systemd, then close this bug with that comment.
If you have no idea, then please add a comment, and change the bug to assigned.
I need to update the status on this feature.
Thanks for your help.
In its fedora package, varnish should not use /tmp, but it may be configured to do so. It does not need to share any data with its surroundings, so a private /tmp should be safe. I'll look into this.
Just adding PrivateTmp=true works with no changes to the config. If I change the config to use /tmp instead of /var/lib/varnish, a new private tmp catalog is created in /tmp/systemd-namespace-[some_uniq_tmpdir] every time varnish is restarted. This seems by design, but I need some way to clear up. varnish may reserve several GB to its file backing store, so after a few restarts, a lot of space on /tmp may be filled up.
With a bit afterthought: If the user changes this kind of config, he probably knows very well what he is doing and why, so keeping the default to /var/lib/varnish, and adding PrivateTmp=true should be safe.
The only other file stored in /tmp is an anonymous file handle used some time during startup. It is automatically cleared away and works without problems with PrivateTmp=true.
varnish-3.0.2-2.fc17 has been submitted as an update for Fedora 17.
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing varnish-3.0.2-2.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
varnish-3.0.2-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.