Page MenuHomePhabricator

/tmp etc. separation through polyinstantiation by using namespaces.conf
Open, NormalPublic

Description

http://forums.whonix.org/t/etc-security-hardening/8592/6

Quote @madaidan

namespaces.conf looks really interesting. We can give users their own view of certain directories. e.g. we can add

/tmp     /tmp-inst/       	level      root,adm

Which would show all users (except root and adm) only their own private /tmp which is really a copy of /tmp-inst/ that is mounted over /tmp for that user.
https://linux.die.net/man/5/namespace.conf
https://linux.die.net/man/8/pam_namespace
I can't seem to enable the pam_namespace module to use this though.

Needs research how to use this.

Details

Impact
Normal

Event Timeline

Patrick triaged this task as Normal priority.Mon, Dec 23, 2:09 PM
Patrick created this task.