Re: proposal: per-user temporary directories on by default?
On Thu, 24 Jul 2003 16:56:50 -0600, Dwayne C. Litzenberger wrote:
> On Thu, Jul 24, 2003 at 02:50:05PM -0500, Steve Greenland wrote:
>> Please don't. Is there *any* reason why defaulting
>> TMPDIR=/tmp/<username> is inferior to TMPDIR=/tmp?
> Systems with large numbers of users (and normally use, for example
> /home/u/username), and filesystem which doesn't like large numbers of
> entries quickly might have performance problems.
The issue is having a number of directories under /tmp/users/<uid>, each
with a moderate number of files, vs having a large number of files
directly under /tmp. It will depend on the particular case but I don't
think the first will be be worse than the second. Indeed the two-level
case with /tmp/users/<uid> is closer to the setup you mention.
The tmpdir for an active user is likely to be in the dcache much of the
time, which means that accessing files in it may well be faster than
looking through an enormous /tmp/ shared by all users.
If people are running a tmpreaper, then it will reap the directories of
any users who have not used them for n days. On machines with many users
who are intermittently active the case is quite different to /home, where
all the directories have to exist all the time.
Administrators for whom this is a concern can always override it from a
Anyhow, I don't think a highly speculative possible performance issue
justifies neglecting a concrete security improvement that would
have effectively protected users from a number of existing problems.
> And then there's the issue of making *really sure* that /tmp/username
> always exists and has the correct permissions,
I think doing this once and properly in libpam-tmpdir is more likely to be
secure than various administrators or programs trying to get it right.
I have already done a quick audit of the source and filed some (fairly
minor) bugs; other people are welcome to do do too.
I am not saying that libpam-tmpdir is eternal and perfect in its current
state. There are some issues that could be improved. But I would like
Debian to move towards per-user tmp as a general idea.
> otherwise this would be
> worse, because once we do this, people will probably stop caring about
> creating temporary files securely.
Well, those people would be pretty damn foolish, because the issue will
still exist on almost all other Unix systems or on systems that reset