Commit 332acbef authored by Michael Biebl's avatar Michael Biebl
Browse files

Use a separate tmpfs for /run/lock (size 5M) and /run/user (size 100M).

Those directories are user-writable which could lead to DoS by filling up
/run.  Closes: #635131
parent c3f5f249
......@@ -11,6 +11,11 @@ systemd (44-6) UNRELEASED; urgency=low
* Prevent the systemd package from being removed if it's the active init
system, since that doesn't work.
[ Michael Biebl ]
* Use a separate tmpfs for /run/lock (size 5M) and /run/user (size 100M).
Those directories are user-writable which could lead to DoS by filling up
/run. Closes: #635131
-- Tollef Fog Heen <tfheen@debian.org> Sat, 01 Dec 2012 18:42:21 +0100
systemd (44-5) unstable; urgency=low
......
......@@ -46,3 +46,5 @@ debian/debian-fixup lib/systemd/
debian/debian-fixup.service lib/systemd/system
debian/tmpfiles.d/debian.conf usr/lib/tmpfiles.d
debian/ifup@.service lib/systemd/system
debian/units/run-lock.mount lib/systemd/system/
debian/units/run-user.mount lib/systemd/system/
......@@ -59,3 +59,7 @@
/lib/systemd/system/debian-fixup.service /lib/systemd/system/sysinit.target.wants/debian-fixup.service
# Compat symlink
/lib/systemd/systemd /bin/systemd
# Mount separate tmpfs file systems for /run/user and /run/lock
/lib/systemd/system/run-user.mount /lib/systemd/system/local-fs.target.wants/run-user.mount
/lib/systemd/system/run-lock.mount /lib/systemd/system/local-fs.target.wants/run-lock.mount
[Unit]
Description=Lock Directory
Before=local-fs.target
[Mount]
What=tmpfs
Where=/run/lock
Type=tmpfs
Options=nodev,noexec,nosuid,size=5242880
[Unit]
Description=User Runtime Directory
Before=local-fs.target
[Mount]
What=tmpfs
Where=/run/user
Type=tmpfs
Options=nodev,noexec,nosuid,size=104857600,mode=0755
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment