Re: Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]

To: debian-devel@lists.debian.org
Subject: Re: Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
From: Russ Allbery <rra@debian.org>
Date: Sun, 13 Nov 2022 13:00:14 -0800
Message-id: <[🔎] 87edu6sh7l.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20221113163905.GF28869@mal.justgohome.co.uk> (Robie Basak's message of "Sun, 13 Nov 2022 16:39:05 +0000")
References: <Y2xLylfKj34Fbaou@tapette.crustytoothpaste.net> <[🔎] 20221110072617.GQ28869@mal.justgohome.co.uk> <[🔎] 87leoiwyse.fsf@err.no> <[🔎] CAOU6tABQ26_geaUbknCF+SoXd6ksURVqpn4RSjJUHBjDjf8orQ@mail.gmail.com> <Y2xLylfKj34Fbaou@tapette.crustytoothpaste.net> <[🔎] Y3BGtqJoHTHc4KLY@bongo.bofh.it> <[🔎] 20221113113808.GD28869@mal.justgohome.co.uk> <[🔎] Y3EGJ5YZ9VpIuDpA@momentum.pseudorandom.co.uk> <Y2xLylfKj34Fbaou@tapette.crustytoothpaste.net> <[🔎] Y3EKTZnhS+UlekWY@bongo.bofh.it> <[🔎] 20221113163905.GF28869@mal.justgohome.co.uk>

Robie Basak <robie.basak@ubuntu.com> writes:

> This seems inconsistent to me. Where is the expectation that TMPDIR must
> be unset if dropping privileges coming from? Obviously for users of
> libpam-tmpdir that's a problem.  But in the default case, it's something
> that would be entirely reasonable to inherit through a drop of
> privileges, for the same reason that I think you find that setting
> TMPDIR for maintainer scripts to use would be useful.

You were asking what changed from the historical behavior of UNIX.  This,
right here, is what changed.

As you note, historically UNIX uses a world-writable /tmp and assumed
basically everything on the system would use it.  Once UNIX started caring
more seriously about security, we discovered this came with a whole host
of security problems.  Most of those have been tediously fixed over the
years, but the fixes can be quite complex and to this day we continue to
see new software that gets it wrong, because it's very easy (particularly
when writing standard C) to not use the right combination of file name
randomization, O_EXCL flags, permissions, and so forth to mostly make this
safe.

Accordingly, private /tmp directories have become increasingly popular.
There are several different mechanisms to use them; the mechanism isn't
very important.  But they often use $TMPDIR since that variable is widely
supported.

Because the security problems with /tmp happen whenever two users with
different privileges use the same directory, private /tmp makes just as
much sense for root (if not even more sense, since root is at inherently
higher risk) as it does for any other user.  So it's not surprising to
start seeing root users with private /tmp, which will inherently require
*something* to change when dropping privileges from root and needing to
use a temporary directory.

The whole point of private /tmp is that every separate permission domain
uses a separate directory for temporary files that's restricted to just
that domain.  Obviously, private /tmp is optional, but it has very real
defense in depth security properties because shared /tmp is a surprisingly
tricky security challenge.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Robie Basak <robie.basak@ubuntu.com>
- Re: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Otto Kekäläinen <otto@kekalainen.net>
- Re: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Marco d'Itri <md@Linux.IT>
- Re: Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Robie Basak <robie.basak@ubuntu.com>
- Re: Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Simon McVittie <smcv@debian.org>
- Re: Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Marco d'Itri <md@linux.it>
- Re: Bug#1023778: TMPDIR behaviour in maintainer scripts [was: Re: Bug#1023778: mysql-server-8.0: fails to restart on upgrade with libpam-tmpdir]
  - From: Robie Basak <robie.basak@ubuntu.com>