Requirements for implementation of $XDG_RUNTIME_DIR on the desktop

Registered by Steve Langasek on 2012-04-10

The $XDG_RUNTIME_DIR fd.o spec has received criticism on the FHS mailing list due to implementation bugs that allow non-root users to DoS the /run directory. Discuss what's required for a solution in Ubuntu.

Blueprint information

Status:
Complete
Approver:
Colin Watson
Priority:
High
Drafter:
Steve Langasek
Direction:
Approved
Assignee:
Steve Langasek
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-12.10-beta-1
Started by
Steve Langasek on 2012-09-28
Completed by
Steve Langasek on 2012-09-28

Whiteboard

Etherpad notes from UDS:

http://lists.linuxfoundation.org/pipermail/fhs-discuss/2011-May/000248.html

/run/lock should be root-dialout, not world-writable; users don't need to be in the dialout group by default, even admin users; so remove the /run quota problem from the existing usage

- Solution also works for braille devices as runs as system service.

Still need to solve the /run/user problem. Do we want a single filesystem? How much memory? Each user directory perms 0700.

Best compromise seems to be single /run/user/ tmpfs mount with ~ 100 MB (possibly scaling up according to available memory size): avoids the overhead of a lot of extra tmpfs mounts, but provides enough quota-like limitations to avoid DoSing the system

dconf needs XDG_RUNTIME_DIR because you can't mmap() over NFS/ecryptfs (reliably)

$XDG_RUNTIME_DIR needs to be created in PAM, not in ConsoleKit: not all services use CK, e. g. cron jobs

Start with nodev, nosuid, noexec, and possibly drop noexec if the requirement pops up; starting with noexec is a better/safe default because it avoids circumenting a possible "noexec" policy on $HOME in business environments

ACTIONS:
* Implement this as a PAM session module with Upstart smarts, that creates the directory on login, reference counts, and deletes it on removal of all sessions; and exports the env var to the session

[2012-09-28] pam module pam_xdg_support has been implemented, handling the XDG_RUNTIME_DIR requirements. It does not yet integrate with upstart; that will be done next cycle as part of the user job support blueprint. So considering this blueprint completed.

(?)

Work Items

Work items:
[vorlon] implement a PAM session module with upstart smarts, that creates the XDG_RUNTIME_DIR on login, reference counts, and deletes it on removal of all sessions; and exports the env var to the session: DONE

Dependency tree

* Blueprints in grey have been implemented.