On Sat, Jul 26, 2003 at 09:16:44AM +1000, Matthew Palmer wrote: > > Not necessarily. With the current /tmp system, the only directory entries > > that are created are the ones that are actually needed at any given time. > > If we switch to /tmp/username, then there will be a directory entry in /tmp > > for *every user* who ever logs on. > > Hang about. You seem to have two different systems running here. One where > files get cleaned out of /tmp sometimes, and one where they don't. No, I'm not, actually. tmpreaper works by absolute time, like 7 days. *Many* users can log into a system during that amount of time, but they probably won't all be creating temporary files that they don't clean up shortly after. With libpam-tmpdir, it doesn't matter whether the user doesn't even have a home directory (i.e. system users, qmail users, nobody, etc) -- they will all cause an entry to be created in /tmp/user. Pretty soon, normal users are going to start using multiple uids in a session. (For example, each user could have their GnuPG/SSH/whatever private keys in a separate user's home directory that only GnuPG/ssh-add/whatever has access to -- this would prevent people with access to your terminal while you're away from your desk from getting copies of those keys to run dictionary attacks on. Users could also have Wine/Mozilla running as a different user, so that security holes don't compromise their home dirs. I'm sure there are other applications for this.) If normal users start using 5 uids each, that's 5 directory entries per user in /tmp/user. Yet, none of the programs running under these uids might ever write files to $TMPDIR. > I would have thought that either of tmpreaper or clean-on-boot would > solve the excess directories problem. There are no shortage of programs > that leave crap in /tmp after they're finished on my system, at any rate. > Splitting those up into multiple per-user directories could only improve > matters, surely? How many of those programs create a new file for every user that ever logs in? That's what this proposal creates. Do I think using libpam-tmpdir by default would work? Yes, at least for the short term. However, I also think it's a band-aid solution for the real problem (excessive /tmp vulnerabilities), and it introduces problems of its own. <rant> Personally, I'd rather see a better set of tools for programmers to use to create temporary files. tmpfile(3) is horribly inadequade for a lot of things (like when you need to know the filename of the file you just created), and I have yet to see a good interface for securely creating directories. </rant> -- Dwayne C. Litzenberger <dlitz@dlitz.net> The attachment is an OpenPGP (PGP/MIME) signature, which can be used to verify the authenticity of this message. See the message headers for more information.
Attachment:
pgp4o3udw7btr.pgp
Description: PGP signature