Bug ID 1225574
Summary AUDIT-FIND: apache2-mod_mono: configuration defaults to predictable socket path in /tmp
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter wolfgang.frisch@suse.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

apache2-mod_mono, by default, creates a socket `/tmp/mod_mono_server_global`,
allowing unprivileged users to break the module by creating an identically
named file in that location.

However
a) this behavior is documented
b) it is mitigated by a systemd hardening in the apache2 package:

> [Unit]
> Description=The Apache Webserver
> After=network.target nss-lookup.target time-sync.target remote-fs.target
> Before=getty@tty1.service plymouth-quit.service xdm.service
> PartOf=apache2.target
> [Service]
> Type=notify
> PrivateTmp=true

You are receiving this mail because: