4826 – stop using /tmp for user sockets

Bug 4826 - stop using /tmp for user sockets

Summary: stop using /tmp for user sockets

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	VSM Server (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.2.0
Assignee:	Pierre Ossman

URL:
Keywords:	hean01_tester, prosaic

Depends on:
Blocks:	4103 4780
	Show dependency tree / graph

Reported:	2013-10-04 11:33 CEST by Pierre Ossman
Modified:	2014-05-15 14:32 CEST (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2013-10-04 11:33:59 CEST

We should put them in /var/run like other daemons. Makes things more secure and also easier to handle in SELinux.

Comment 2 Pierre Ossman cendio

2013-12-09 16:41:33 CET

Most of the work was done on bug 4780, but there is some cleanup and testing left that can be done on this bug.

Comment 3 Pierre Ossman cendio

2013-12-18 13:22:50 CET

Committed in r28235. Going to do a test with a nightly build before I close the bug.

Comment 4 Pierre Ossman cendio

2014-01-08 14:17:53 CET

Nightly build works.

Tester should verify that you can still log in. SELinux should be enforcing, and you should verify that the socket files and intermediate directories get the correct context.

Comment 5 Henrik Andersson cendio

2014-03-18 14:59:22 CET

Tested using server build 4290 on CentOS 6.4 with selinux enforcing.

/var/run/thinlinc/master is populated with user socket with the correct SELinux context and there is no problems with logons..

Also verified that tlwebadm creates a user socket for root user when logging into Web admin ui.

Comment 8 Pierre Ossman cendio

2014-05-14 17:06:29 CEST

Creation of the intermediate directories do not compensate for a restrictive umask.

Comment 9 Pierre Ossman cendio

2014-05-15 11:00:59 CEST

(In reply to comment #8)
> Creation of the intermediate directories do not compensate for a restrictive
> umask.

r28979.

Besides retesting the normal stuff, the tester should make sure things work with a restrictive umask (e.g. 0077 or 0777). Remember to remove /var/run/thinlinc, and to verify that vsmserver actually gets the expected umask (need to hack /etc/bashrc on RH systems for example).

Comment 10 Henrik Andersson cendio

2014-05-15 14:25:30 CEST

(In reply to comment #9)
> (In reply to comment #8)
> > Creation of the intermediate directories do not compensate for a restrictive
> > umask.
> 
> r28979.
> 
> Besides retesting the normal stuff, the tester should make sure things work
> with a restrictive umask (e.g. 0077 or 0777). Remember to remove
> /var/run/thinlinc, and to verify that vsmserver actually gets the expected
> umask (need to hack /etc/bashrc on RH systems for example).

Tested on RHEL 6

- Edited /etc/profiles and added umask 77
- Installed rc2
- Verified that /var/run/thinlinc have wrong permissions; 700
- Verified that a login with native client failed with permission denied in
  tlclient.log.

- Updated installation with rc3
- Deleted /var/run/thinlinc between each restart of services and verified that  
  each service created the directories with correct permissions.
- Verified that i successfully could log into a session.

Comment 11 Henrik Andersson cendio

2014-05-15 14:32:06 CEST

(In reply to comment #10)

Also verified that tlwebaccess and tlwebadm (tlstunnel) works as expected.

Note You need to log in before you can comment on or make changes to this bug.