mirror of
https://github.com/systemd/systemd.git
synced 2024-11-05 06:52:22 +03:00
d34cd37490
Currently, PrivateTmp=yes means that the service cannot see the /tmp shared by rest of the system and is isolated from other services using PrivateTmp, but users can access and modify /tmp as seen by the service. Move the private /tmp and /var/tmp directories into a 0077-mode directory. This way unpriviledged users on the system cannot see (or modify) /tmp as seen by the service.
19 lines
626 B
Plaintext
19 lines
626 B
Plaintext
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
# See tmpfiles.d(5) for details
|
|
|
|
# Clear tmp directories separately, to make them easier to override
|
|
d /tmp 1777 root root 10d
|
|
d /var/tmp 1777 root root 30d
|
|
|
|
# Exclude namespace mountpoints created with PrivateTmp=yes
|
|
x /tmp/systemd-private-*
|
|
x /var/tmp/systemd-private-*
|
|
X /tmp/systemd-private-*/tmp
|
|
X /var/tmp/systemd-private-*/tmp
|