Requirements for implementation of $XDG_RUNTIME_DIR on the desktop
The $XDG_RUNTIME_DIR fd.o spec has received criticism on the FHS mailing list due to implementation bugs that allow non-root users to DoS the /run directory. Discuss what's required for a solution in Ubuntu.
Blueprint information
- Status:
- Complete
- Approver:
- Colin Watson
- Priority:
- High
- Drafter:
- Steve Langasek
- Direction:
- Approved
- Assignee:
- Steve Langasek
- Definition:
- Approved
- Series goal:
- Accepted for quantal
- Implementation:
- Implemented
- Milestone target:
- ubuntu-12.10-beta-1
- Started by
- Steve Langasek
- Completed by
- Steve Langasek
Related branches
Related bugs
Bug #766949: Upstart support for XDG_RUNTIME_DIR | Expired |
Bug #894391: [FFe, MIR] support $XDG_RUNTIME_DIR | Fix Released |
Whiteboard
Etherpad notes from UDS:
http://
/run/lock should be root-dialout, not world-writable; users don't need to be in the dialout group by default, even admin users; so remove the /run quota problem from the existing usage
- Solution also works for braille devices as runs as system service.
Still need to solve the /run/user problem. Do we want a single filesystem? How much memory? Each user directory perms 0700.
Best compromise seems to be single /run/user/ tmpfs mount with ~ 100 MB (possibly scaling up according to available memory size): avoids the overhead of a lot of extra tmpfs mounts, but provides enough quota-like limitations to avoid DoSing the system
dconf needs XDG_RUNTIME_DIR because you can't mmap() over NFS/ecryptfs (reliably)
$XDG_RUNTIME_DIR needs to be created in PAM, not in ConsoleKit: not all services use CK, e. g. cron jobs
Start with nodev, nosuid, noexec, and possibly drop noexec if the requirement pops up; starting with noexec is a better/safe default because it avoids circumenting a possible "noexec" policy on $HOME in business environments
ACTIONS:
* Implement this as a PAM session module with Upstart smarts, that creates the directory on login, reference counts, and deletes it on removal of all sessions; and exports the env var to the session
[2012-09-28] pam module pam_xdg_support has been implemented, handling the XDG_RUNTIME_DIR requirements. It does not yet integrate with upstart; that will be done next cycle as part of the user job support blueprint. So considering this blueprint completed.
Work Items
Work items:
[vorlon] implement a PAM session module with upstart smarts, that creates the XDG_RUNTIME_DIR on login, reference counts, and deletes it on removal of all sessions; and exports the env var to the session: DONE
Dependency tree
* Blueprints in grey have been implemented.