oss-sec mailing list archives

Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888)

From: Michael Orlitzky <michael () orlitzky com>
Date: Tue, 17 Mar 2026 21:06:24 -0400

On 2026-03-17 13:58:17, Michal Zalewski wrote:

Nice work... flashbacks from 2002
(https://lcamtuf.coredump.cx/tmp_paper.txt). It's frankly somewhat
mind-boggling that distros keep a world-writable /tmp this day and
age. Whatever questionable benefits it has, it also contributed to
plenty of pointless and easily avoidable vulns.


It's required by POSIX which, funny enough, forbids /tmp from being
used the way snap-confine is using it. I wouldn't expect either of
these projects to care about POSIX, but the same description was
copied & pasted into the FHS. And to its credit, systemd has a
page full of documentation on how to avoid this exact problem.

1. https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap10.html
2. https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s18.html
3. https://systemd.io/TEMPORARY_DIRECTORIES/

Current thread:

snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Qualys Security Advisory (Mar 17)
- Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michal Zalewski (Mar 17)
  - Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) Michael Orlitzky (Mar 17)