Make PrivateTmp dirs also inaccessible from the outside

Currently, PrivateTmp=yes means that the service cannot see the /tmp shared by rest of the system and is isolated from other services using PrivateTmp, but users can access and modify /tmp as seen by the service. Move the private /tmp and /var/tmp directories into a 0077-mode directory. This way unpriviledged users on the system cannot see (or modify) /tmp as seen by the service.
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2013-03-20 01:38:28 -0400
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2013-03-20 14:08:41 -0400
commit: d34cd374905a40e65769351a2808b741b5418bf1 (patch)
tree: 5dbd6761c13de63a6d5b1c0733d82990abb46aef /tmpfiles.d
parent: 1f048a6b6bcc30d2e157711b3d231d7a944e6ffb (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/tmpfiles.d/tmp.conf b/tmpfiles.d/tmp.conf
index ef5a9f0f2c..3b534a1f75 100644
--- a/tmpfiles.d/tmp.conf
+++ b/tmpfiles.d/tmp.conf
@@ -12,5 +12,7 @@ d /tmp 1777 root root 10d
 d /var/tmp 1777 root root 30d
 
 # Exclude namespace mountpoints created with PrivateTmp=yes
-X /tmp/systemd-private-*
-X /var/tmp/systemd-private-*
+x /tmp/systemd-private-*
+x /var/tmp/systemd-private-*
+X /tmp/systemd-private-*/tmp
+X /var/tmp/systemd-private-*/tmp
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2013-03-20 01:38:28 -0400
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2013-03-20 14:08:41 -0400
commit	d34cd374905a40e65769351a2808b741b5418bf1 (patch)
tree	5dbd6761c13de63a6d5b1c0733d82990abb46aef /tmpfiles.d
parent	1f048a6b6bcc30d2e157711b3d231d7a944e6ffb (diff)