←back to thread

Against /Tmp

(dotat.at)
143 points todsacerdoti | 3 comments | 22 Oct 24 12:36 UTC | HN request time: 0.405s | source
Show context
josephcsible ◴[22 Oct 24 14:43 UTC] No.41914801[source]
If you're opening with O_CREAT|O_EXCL, why does it matter whether the filename is predictable?
replies(2): >>41914941 #>>41915153 #
1. kijin ◴[22 Oct 24 14:58 UTC] No.41914941[source]
Because other processes can periodically check whether a predictable filename is in use, and guess things you'd rather keep private?
replies(2): >>41915014 #>>41916172 #
2. johnisgood ◴[22 Oct 24 15:05 UTC] No.41915014[source]
Why would you have processes you do not trust, or why not use firejail for those that may pose a security risk?

> Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

It supports "--private" (mounts new /root and /home/user directories in temporary filesystems), along with "--private-{bin,cache,cwd,dev,etc,home,lib,opt,srv,tmp} (plus "noexec /tmp")". It also supports "keep-config-pulse", "keep-dev-shm", and so forth, meaning you can have shared files between process if you so wish (for DBus, etc.).

3. josephcsible ◴[22 Oct 24 16:49 UTC] No.41916172[source]
But you wouldn't need to guess names to do that, since the names of files in /tmp are publicly listable.