diff options
| author | Andrew Clayton <a.clayton@nginx.com> | 2023-02-22 16:04:53 +0000 |
|---|---|---|
| committer | Andrew Clayton <a.clayton@nginx.com> | 2023-02-24 15:48:00 +0000 |
| commit | ffa86b6edcb4ac06825557f969fb657948d8c35e (patch) | |
| tree | 83a7c0987d92dbf70188130206a3334469a485b5 | |
| parent | 7934dcabbc3c2b585e8d3f8fcee7020ba26f1687 (diff) | |
| download | unit-ffa86b6edcb4ac06825557f969fb657948d8c35e.tar.gz unit-ffa86b6edcb4ac06825557f969fb657948d8c35e.tar.bz2 | |
Isolation: rootfs: Set the sticky bit on the tmp directory.
When using the 'rootfs' isolation option, by default a tmpfs filesystem
is mounted on tmp/. Currently this is mounted with a mode of 0777, i.e
drwxrwxrwx. 3 root root 60 Feb 22 11:56 tmp
however this should really have the sticky bit[0] set (as is per-normal for
such directories) to prevent users from having free reign on the files
contained within.
What we really want is it mounted with a mode of 01777, i.e
drwxrwxrwt. 3 root root 60 Feb 22 11:57 tmp
[0]: To quote inode(7)
"The sticky bit (S_ISVTX) on a directory means that a file in that
directory can be renamed or deleted only by the owner of the file, by
the owner of the directory, and by a privileged process."
Reviewed-by: Liam Crilly <liam@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
| -rw-r--r-- | src/nxt_isolation.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c index e43cf1f7..614d6bb5 100644 --- a/src/nxt_isolation.c +++ b/src/nxt_isolation.c @@ -652,7 +652,7 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process, mnt->flags = (NXT_FS_FLAGS_NOSUID | NXT_FS_FLAGS_NODEV | NXT_FS_FLAGS_NOEXEC); - mnt->data = (u_char *) "size=1m,mode=777"; + mnt->data = (u_char *) "size=1m,mode=1777"; mnt->builtin = 1; mnt->deps = 0; |