通过 snap-confine 与 systemd-tmpfiles 交互导致的 Root 权限提升漏洞分析 (CVE-2026-3888)
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户提供了邮件列表存档的内容,看起来是关于一个安全漏洞的讨论。 首先,我得理解邮件的内容。发件人提到snap-confine和systemd-tmpfiles的组合导致了root权限的漏洞(CVE-2026-3888)。Michal Zalewski回复说这是由于/tmp目录世界可写,这在现代系统中仍然存在,带来了不必要的漏洞。 接着,Zalewski提到这是POSIX和FHS标准要求的,但systemd有文档指导如何避免这个问题。Michael Orlitzky则回应了这个讨论。 总结时,我需要抓住关键点:漏洞名称、影响、原因(/tmp世界可写)、相关标准和解决方案。同时要简洁,不超过100字。 可能会这样组织:漏洞CVE-2026-3888由snap-confine和systemd-tmpfiles组合引发,导致root权限。问题源于/tmp目录世界可写,符合POSIX和FHS标准,但systemd有文档指导如何避免。 </think> snap-confine与systemd-tmpfiles组合导致root权限漏洞(CVE-2026-3888),源于/tmp目录世界可写问题,符合POSIX和FHS标准但易引发安全风险。 2026-3-18 01:8:0 Author: seclists.org(查看原文) 阅读量:0 收藏
oss-sec logo

oss-sec mailing list archives

From: Michael Orlitzky <michael () orlitzky com>
Date: Tue, 17 Mar 2026 21:06:24 -0400
On 2026-03-17 13:58:17, Michal Zalewski wrote:

Nice work... flashbacks from 2002
(https://lcamtuf.coredump.cx/tmp_paper.txt). It's frankly somewhat
mind-boggling that distros keep a world-writable /tmp this day and
age. Whatever questionable benefits it has, it also contributed to
plenty of pointless and easily avoidable vulns.


It's required by POSIX which, funny enough, forbids /tmp from being
used the way snap-confine is using it. I wouldn't expect either of
these projects to care about POSIX, but the same description was
copied & pasted into the FHS. And to its credit, systemd has a
page full of documentation on how to avoid this exact problem.

1. https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap10.html
2. https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s18.html
3. https://systemd.io/TEMPORARY_DIRECTORIES/

Current thread:


文章来源: https://seclists.org/oss-sec/2026/q1/333
如有侵权请联系:admin#unsafe.sh