[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proposal: per-user temporary directories on by default?

On Wed, 23 Jul 2003 11:26:58 +0200, Tollef Fog Heen wrote:

> * Christoph Hellwig
> | On Wed, Jul 23, 2003 at 02:09:28PM +1000, Martin Pool wrote:
> | > There is already a PAM modules, libpam-tmpdir which automatically sets
> | > this up on login by creating a per-user directory under /tmp and
> | > pointing TMPDIR at it.  Despite the scary low version number of 0.04
> | > it seems to work reliably and presumably any bugs could be fixed.
> | 
> | Nice idea, wrong implementation.  Let login fork the login shell with
> | CLONE_NEWNS and do a VFS-binding from ~/tmp to /tmp.

Presumably you'd want to add this through a PAM module rather than hacking
it right into login, otherwise gdm, ssh etc wouldn't be consistent.  

Having decided to do it through PAM, is it really necessary to change the 
VFS rather than setting $TMPDIR?  Making it impossible to get to the real
/tmp makes it a bit more intrusive and potentially confusing than really 
seems necessary.  Given that there is a TMPDIR variable which is obeyed
in most cases, using it seems to be easier than remapping /tmp.

Fixing programs which are hardcoded to /tmp to use TMPDIR is pretty
trivial.  Making sure that operations in a world-writable directory are
secure can be very hard.

A PAM module which does VFS setup would be pretty cool, but I don't think 
that's the one Debian should use by default.

> CLONE_NEWNS is 2.4.19 and higher only.  Also, ~ might be on NFS or similar
> where you don't want to put temporary files.

> (And about the version number of libpam-tmpdir: it could just as easy have
> been 0.4, in which case nobody would have thought it was «scaringly
> low».  Yes, I'm upstream for it.)

Thanks for writing it.

I couldn't find any web pages about libpam-tmpdir other than the Debian
package.  It might be nice to put up just a small one so that it's easier
for other systems to find.

> If we were to put it in as default, I'd like to clean up the code a bit..
> it should be safe, but it could use a little tidying up.

There are small issues I'll discuss offline.

I'm not sure if this is featurism, but you might add a parameter to allow
people to set the path.  /tmp/users/$uid/ is a good default but people
might possibly want it in /home or elsewhere for disk space or other


Reply to: