Against /Tmp

(dotat.at)

140 points todsacerdoti | 2 comments | 22 Oct 24 12:36 UTC | HN request time: 0s | source

Show context

CarpaDorada ◴[22 Oct 24 13:12 UTC] No.41913885[source]▶

>>41913610 (OP) #

Is it possible to configure every user to see /tmp as $USER/.tmp via some Linux isolation method (namespaces)?

replies(2): >>41913908 #>>41913926 #

0xC0ncord ◴[22 Oct 24 13:15 UTC] No.41913908[source]▶

>>41913885 #

This exact thing is possible with pam_namespace.so!

replies(1): >>41913992 #

CarpaDorada ◴[22 Oct 24 13:23 UTC] No.41913992[source]▶

>>41913908 #

Very nice, thank you. I will look into this. This may be my break into PAM that I've ignored thus far.

I'm wondering if there's programs that will break with such a change. One example would be if multiple users in a group need access to the same file under /tmp.

replies(1): >>41914126 #

1. 0xC0ncord ◴[22 Oct 24 13:36 UTC] No.41914126[source]▶

>>41913992 #

pam_namespace normally isolates /tmp by user or SELinux context, so your example might require a couple tweaks. I haven't tried any of these but I'm thinking any of:

1) You could modify the namespace init script used by pam_namespace to also mount a shared directory under each user's /tmp, and do this only for the users who need it.

2) Rely on a different shared directory for the users who need it.

3) Configure namespace.conf to isolate by SELinux context and put each user who needs a shared /tmp into the same SELinux role.

replies(1): >>41914229 #

2. CarpaDorada ◴[22 Oct 24 13:48 UTC] No.41914229[source]▶

>>41914126 (TP) #

What occurs to me now is that with a proper SELinux configuration you do not even need per-user /tmp, you can use the old /tmp for all. It is still motivating to look into PAM, but perhaps also motivating to learn more about SELinux that I've also put off.

↑