diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2019-05-10 22:11:40 +0300 |
|---|---|---|
| committer | Tomáš Mráz <t8m@users.noreply.github.com> | 2020-02-18 13:18:16 +0100 |
| commit | 59812d1cf1127a1af65b530addff76be767092b1 (patch) | |
| tree | c05252f35d58f485d13af5988cd340a80b3e1121 /modules/pam_namespace/pam_namespace.service.in | |
| parent | c7a66c8ca510e12f43355ac7cc893834964235b7 (diff) | |
| download | pam-59812d1cf1127a1af65b530addff76be767092b1.tar.gz pam-59812d1cf1127a1af65b530addff76be767092b1.tar.bz2 pam-59812d1cf1127a1af65b530addff76be767092b1.zip | |
pam_namespace: secure tmp-inst directories
When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
creates subdirectories with fixed name tmp-inst. These paths should be
secured as early as possible to avoid that somehow these directories
could created and controlled by for example a malicious user or
service.
Ship a systemd service, which creates the directories early in
boot sequence with correct permissions and ownership.
Closes #111.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'modules/pam_namespace/pam_namespace.service.in')
| -rw-r--r-- | modules/pam_namespace/pam_namespace.service.in | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/modules/pam_namespace/pam_namespace.service.in b/modules/pam_namespace/pam_namespace.service.in new file mode 100644 index 00000000..e2311917 --- /dev/null +++ b/modules/pam_namespace/pam_namespace.service.in @@ -0,0 +1,11 @@ +[Unit] +After=local-fs.target +Before=multi-user.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +Description=Make sure parent directories configured in @SCONFIGDIR@/namespace.conf for polyinstantiation exist +Documentation=man:pam_namespace(8) + +[Service] +ExecStart=@sbindir@/pam_namespace_helper +Type=oneshot |