[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proposal: per-user temporary directories on by default?



On Sat, Jul 26, 2003 at 09:16:44AM +1000, Matthew Palmer wrote:
> > Not necessarily.  With the current /tmp system, the only directory entries
> > that are created are the ones that are actually needed at any given time.
> > If we switch to /tmp/username, then there will be a directory entry in /tmp
> > for *every user* who ever logs on.
> 
> Hang about.  You seem to have two different systems running here.  One where
> files get cleaned out of /tmp sometimes, and one where they don't.

No, I'm not, actually.  tmpreaper works by absolute time, like 7 days.
*Many* users can log into a system during that amount of time, but they
probably won't all be creating temporary files that they don't clean up
shortly after.  With libpam-tmpdir, it doesn't matter whether the user
doesn't even have a home directory (i.e. system users, qmail users, nobody,
etc) -- they will all cause an entry to be created in /tmp/user.

Pretty soon, normal users are going to start using multiple uids in a
session.  (For example, each user could have their GnuPG/SSH/whatever
private keys in a separate user's home directory that only
GnuPG/ssh-add/whatever has access to -- this would prevent people with
access to your terminal while you're away from your desk from getting
copies of those keys to run dictionary attacks on.  Users could also have
Wine/Mozilla running as a different user, so that security holes don't
compromise their home dirs.  I'm sure there are other applications for
this.)

If normal users start using 5 uids each, that's 5 directory entries per
user in /tmp/user.  Yet, none of the programs running under these uids
might ever write files to $TMPDIR.

> I would have thought that either of tmpreaper or clean-on-boot would
> solve the excess directories problem.  There are no shortage of programs
> that leave crap in /tmp after they're finished on my system, at any rate.
> Splitting those up into multiple per-user directories could only improve
> matters, surely?

How many of those programs create a new file for every user that ever logs
in?  That's what this proposal creates.

Do I think using libpam-tmpdir by default would work?  Yes, at least for
the short term.  However, I also think it's a band-aid solution for the
real problem (excessive /tmp vulnerabilities), and it introduces problems
of its own.

<rant>
Personally, I'd rather see a better set of tools for programmers to use to
create temporary files.  tmpfile(3) is horribly inadequade for a lot of
things (like when you need to know the filename of the file you just
created), and I have yet to see a good interface for securely creating
directories.
</rant>

-- 
Dwayne C. Litzenberger <dlitz@dlitz.net>

The attachment is an OpenPGP (PGP/MIME) signature, which can be used to verify
the authenticity of this message.  See the message headers for more information.

Attachment: pgpSm7JYCPdiI.pgp
Description: PGP signature


Reply to: