Bug 4826 - stop using /tmp for user sockets
Summary: stop using /tmp for user sockets
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Server (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.2.0
Assignee: Pierre Ossman
URL:
Keywords: hean01_tester, prosaic
Depends on:
Blocks: 4103 4780
  Show dependency treegraph
 
Reported: 2013-10-04 11:33 CEST by Pierre Ossman
Modified: 2014-05-15 14:32 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2013-10-04 11:33:59 CEST
We should put them in /var/run like other daemons. Makes things more secure and also easier to handle in SELinux.
Comment 2 Pierre Ossman cendio 2013-12-09 16:41:33 CET
Most of the work was done on bug 4780, but there is some cleanup and testing left that can be done on this bug.
Comment 3 Pierre Ossman cendio 2013-12-18 13:22:50 CET
Committed in r28235. Going to do a test with a nightly build before I close the bug.
Comment 4 Pierre Ossman cendio 2014-01-08 14:17:53 CET
Nightly build works.

Tester should verify that you can still log in. SELinux should be enforcing, and you should verify that the socket files and intermediate directories get the correct context.
Comment 5 Henrik Andersson cendio 2014-03-18 14:59:22 CET
Tested using server build 4290 on CentOS 6.4 with selinux enforcing.

/var/run/thinlinc/master is populated with user socket with the correct SELinux context and there is no problems with logons..

Also verified that tlwebadm creates a user socket for root user when logging into Web admin ui.
Comment 8 Pierre Ossman cendio 2014-05-14 17:06:29 CEST
Creation of the intermediate directories do not compensate for a restrictive umask.
Comment 9 Pierre Ossman cendio 2014-05-15 11:00:59 CEST
(In reply to comment #8)
> Creation of the intermediate directories do not compensate for a restrictive
> umask.

r28979.

Besides retesting the normal stuff, the tester should make sure things work with a restrictive umask (e.g. 0077 or 0777). Remember to remove /var/run/thinlinc, and to verify that vsmserver actually gets the expected umask (need to hack /etc/bashrc on RH systems for example).
Comment 10 Henrik Andersson cendio 2014-05-15 14:25:30 CEST
(In reply to comment #9)
> (In reply to comment #8)
> > Creation of the intermediate directories do not compensate for a restrictive
> > umask.
> 
> r28979.
> 
> Besides retesting the normal stuff, the tester should make sure things work
> with a restrictive umask (e.g. 0077 or 0777). Remember to remove
> /var/run/thinlinc, and to verify that vsmserver actually gets the expected
> umask (need to hack /etc/bashrc on RH systems for example).

Tested on RHEL 6

- Edited /etc/profiles and added umask 77
- Installed rc2
- Verified that /var/run/thinlinc have wrong permissions; 700
- Verified that a login with native client failed with permission denied in
  tlclient.log.

- Updated installation with rc3
- Deleted /var/run/thinlinc between each restart of services and verified that  
  each service created the directories with correct permissions.
- Verified that i successfully could log into a session.
Comment 11 Henrik Andersson cendio 2014-05-15 14:32:06 CEST
(In reply to comment #10)

Also verified that tlwebaccess and tlwebadm (tlstunnel) works as expected.

Note You need to log in before you can comment on or make changes to this bug.