[Bug 2088268] Re: systemd /tmp cleaning removes files that it shouldn't

Juha Aatrokoski 2088268 at bugs.launchpad.net
Tue Nov 19 08:38:21 UTC 2024 

Sure, I can fix it in my systems, and have done so. But other users
using the default settings will still have a potential security
vulnerability in their systems.

And the X11 files is a case we know about; there might be other programs
using /tmp in a similar way (such as the TigerVNC case), and some of
them may also have security implications.

Looking at the big picture, the underlying cause may very well be that
programs are using /tmp "wrong". The solution is to fix *all* of them,
or to accept that this usage happens and try to minimize the danger. At
the minimum, the *known* security issues (like the X11 files) should be
fixed one way or another.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2088268

Title:
  systemd /tmp cleaning removes files that it shouldn't

Status in systemd package in Ubuntu:
  New
Status in xorg package in Ubuntu:
  New

Bug description:
  On Ubuntu 24.04.1, systemd 255.4-1ubuntu8.4, the fix for bug #2019026
  causes files under /tmp to be removed if their age is greater than 30
  days. However, there are files under /tmp that should not be removed
  at runtime regardless of their age (whether they belong in that
  directory at all is a separate question), for example those listed in
  /usr/lib/tmpfiles.d/x11.conf (I have witnessed the disappearance of
  X11 lock files, though the sockets are still there; /tmp/.XIM-unix and
  /tmp/.font-unix have also disappeared).

  I am not familiar enough with systemd-tmpfiles to figure out whether
  those files can be properly protected from removal with a tmpfiles.d
  configuration change, but I do know that the current configuration
  does not do that.

  I noticed this problem when a couple of TigerVNC sessions became
  inaccessible a month after starting them, which turned out to be
  because the "cached" password file in /tmp/tigervnc.XXXXXX/passwd was
  removed. This is at least partially a bug in tigervnc, but the problem
  also affects other critical not-to-be-removed-or-else files under
  /tmp.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2088268/+subscriptions

More information about the foundations-bugs mailing list