openstack team mailing list archive

[Thierry Carrez <thierry@xxxxxxxxxxxxx>]

Daniel P. Berrange wrote:
> On Mon, Jul 02, 2012 at 12:09:55PM -0700, Johannes Erdfelt wrote:
>>
>> It seems to me that we're just as likely to have a review slip through
>> that uses /tmp insecurely as a review slipping through that uses /tmp at
>> all.

With my Vulnerability Management team hat on, looking at the types of
vulnerabilities we actually let go through in our reviews, I would
disagree with that. Not all the core developers have the security
mindset built into them. And spotting usage of /tmp is always easier
than spotting insecure usage of /tmp.

> It is fairly common for apps to use /var/cache/<appname> or
> /var/lib/<appname>.
> 
>> Since we can't trust developers to use /tmp securely, or avoid using
>> /tmp at all, then why not use filesystem namespaces to setup a process
>> specific non-shared /tmp?
> 
> That is possible, but I simply disagree with your point that we
> can't stop using /tmp. It is entirely possible to stop using it
> IMHO.

+1. Always using application-specific, unshared temp space
(/var/cache/<appname>, /var/lib/<appname>/tmp...) is a good security
strengthening mechanism that should help us avoid /some/ vulnerabilities
in the future.

-- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management team