www.cendio.com
Bug 4826 - stop using /tmp for user sockets
: stop using /tmp for user sockets
Status: CLOSED FIXED
: ThinLinc
VSM Server
: trunk
: PC Unknown
: P2 Normal
: 4.2.0
Assigned To:
:
:
:
: 4103 4780
  Show dependency treegraph
 
Reported: 2013-10-04 11:33 by
Modified: 2014-05-15 14:32 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-10-04 11:33:59
We should put them in /var/run like other daemons. Makes things more secure and
also easier to handle in SELinux.
------- Comment #2 From cendio 2013-12-09 16:41:33 -------
Most of the work was done on bug 4780, but there is some cleanup and testing
left that can be done on this bug.
------- Comment #3 From cendio 2013-12-18 13:22:50 -------
Committed in r28235. Going to do a test with a nightly build before I close the
bug.
------- Comment #4 From cendio 2014-01-08 14:17:53 -------
Nightly build works.

Tester should verify that you can still log in. SELinux should be enforcing,
and you should verify that the socket files and intermediate directories get
the correct context.
------- Comment #5 From cendio 2014-03-18 14:59:22 -------
Tested using server build 4290 on CentOS 6.4 with selinux enforcing.

/var/run/thinlinc/master is populated with user socket with the correct SELinux
context and there is no problems with logons..

Also verified that tlwebadm creates a user socket for root user when logging
into Web admin ui.
------- Comment #8 From cendio 2014-05-14 17:06:29 -------
Creation of the intermediate directories do not compensate for a restrictive
umask.
------- Comment #9 From cendio 2014-05-15 11:00:59 -------
(In reply to comment #8)
> Creation of the intermediate directories do not compensate for a restrictive
> umask.

r28979.

Besides retesting the normal stuff, the tester should make sure things work
with a restrictive umask (e.g. 0077 or 0777). Remember to remove
/var/run/thinlinc, and to verify that vsmserver actually gets the expected
umask (need to hack /etc/bashrc on RH systems for example).
------- Comment #10 From cendio 2014-05-15 14:25:30 -------
(In reply to comment #9)
> (In reply to comment #8)
> > Creation of the intermediate directories do not compensate for a restrictive
> > umask.
> 
> r28979.
> 
> Besides retesting the normal stuff, the tester should make sure things work
> with a restrictive umask (e.g. 0077 or 0777). Remember to remove
> /var/run/thinlinc, and to verify that vsmserver actually gets the expected
> umask (need to hack /etc/bashrc on RH systems for example).

Tested on RHEL 6

- Edited /etc/profiles and added umask 77
- Installed rc2
- Verified that /var/run/thinlinc have wrong permissions; 700
- Verified that a login with native client failed with permission denied in
  tlclient.log.

- Updated installation with rc3
- Deleted /var/run/thinlinc between each restart of services and verified that  
  each service created the directories with correct permissions.
- Verified that i successfully could log into a session.
------- Comment #11 From cendio 2014-05-15 14:32:06 -------
(In reply to comment #10)

Also verified that tlwebaccess and tlwebadm (tlstunnel) works as expected.