From d34cd374905a40e65769351a2808b741b5418bf1 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Wed, 20 Mar 2013 01:38:28 -0400
Subject: Make PrivateTmp dirs also inaccessible from the outside

Currently, PrivateTmp=yes means that the service cannot see the /tmp
shared by rest of the system and is isolated from other services using
PrivateTmp, but users can access and modify /tmp as seen by the
service.

Move the private /tmp and /var/tmp directories into a 0077-mode
directory. This way unpriviledged users on the system cannot see (or
modify) /tmp as seen by the service.
---
 tmpfiles.d/tmp.conf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'tmpfiles.d/tmp.conf')

diff --git a/tmpfiles.d/tmp.conf b/tmpfiles.d/tmp.conf
index ef5a9f0f2c..3b534a1f75 100644
--- a/tmpfiles.d/tmp.conf
+++ b/tmpfiles.d/tmp.conf
@@ -12,5 +12,7 @@ d /tmp 1777 root root 10d
 d /var/tmp 1777 root root 30d
 
 # Exclude namespace mountpoints created with PrivateTmp=yes
-X /tmp/systemd-private-*
-X /var/tmp/systemd-private-*
+x /tmp/systemd-private-*
+x /var/tmp/systemd-private-*
+X /tmp/systemd-private-*/tmp
+X /var/tmp/systemd-private-*/tmp
-- 
cgit v1.2.3-54-g00ecf