Bug 782539 - Propose that you turn on PrivateTmp=true in service file for varnishd
Propose that you turn on PrivateTmp=true in service file for varnishd
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: varnish (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Ingvar Hagelund
Fedora Extras Quality Assurance
:
Depends On:
Blocks: PrivateTmp
  Show dependency treegraph
 
Reported: 2012-01-17 11:03 EST by Daniel Walsh
Modified: 2012-03-17 20:48 EDT (History)
1 user (show)

See Also:
Fixed In Version: varnish-3.0.2-2.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-17 20:48:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2012-01-17 11:03:26 EST
I would like to propose using PrivateTmp for varnishd systemd unit file
This should make the use of /tmp directory more secure
and avoid users from being able to potentially effect it.

http://fedoraproject.org/wiki/Features/ServicesPrivateTmp
Comment 1 Daniel Walsh 2012-02-06 15:45:59 EST
Any change on this bug.  We are coming up to Feature Freeze, and would like some comment on this bug.

If you do not believe this application uses /tmp than please comment on this and close the bug.  

If you believe this application needs to use /tmp to communicate with other applications or users then you can close this bug with that comment.

If your app does not use systemd, then close this bug with that comment.

If you have no idea, then please add a comment, and change the bug to assigned.

I need to update the status on this feature.


Thanks for your help.
Comment 2 Ingvar Hagelund 2012-03-12 05:51:45 EDT
In its fedora package, varnish should not use /tmp, but it may be configured to do so. It does not need to share any data with its surroundings, so a private /tmp should be safe. I'll look into this.

Ingvar
Comment 3 Ingvar Hagelund 2012-03-12 07:48:57 EDT
Just adding PrivateTmp=true works with no changes to the config. If I change the config to use /tmp instead of /var/lib/varnish, a new private tmp catalog is created in /tmp/systemd-namespace-[some_uniq_tmpdir] every time varnish is restarted. This seems by design, but I need some way to clear up. varnish may reserve several GB to its file backing store, so after a few restarts, a lot of space on /tmp may be filled up.
Comment 4 Ingvar Hagelund 2012-03-12 08:18:26 EDT
With a bit afterthought: If the user changes this kind of config, he probably knows very well what he is doing and why, so keeping the default to /var/lib/varnish, and adding PrivateTmp=true should be safe.

The only other file stored in /tmp is an anonymous file handle used some time during startup. It is automatically cleared away and works without problems with PrivateTmp=true.
Comment 5 Fedora Update System 2012-03-13 03:18:30 EDT
varnish-3.0.2-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/varnish-3.0.2-2.fc17
Comment 6 Fedora Update System 2012-03-13 13:10:06 EDT
Package varnish-3.0.2-2.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing varnish-3.0.2-2.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-3672/varnish-3.0.2-2.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-03-17 20:48:19 EDT
varnish-3.0.2-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.