Re: /run vs. /lib/run
On Friday 23 December 2005 10:36, Gabor Gombas <email@example.com> wrote:
> On Thu, Dec 22, 2005 at 05:18:43PM +1100, Russell Coker wrote:
> > Putting system directories under /tmp is a really bad idea, it opens
> > possibilities of race condition attacks by unprivileged users against
> > system processes. Generally for almost everything we should be looking
> > to reduce usage of /tmp rather than increase it.
> There are no user processes while scripts in /etc/rcS.d are running (not
There are processes run from rcS.d that use data written by untrusted user
processes, /etc/init.d/nviboot is one example.
There are also processes that read network data (which is potentially
hostile). /etc/init.d/ntpdate is one example.
> even crontabs, since cron itself has not been started yet). And after
> rc.S has finished, there is no justification to use /run. I do not see
> the problem with using /tmp for /run.
Why not use /home? Why not /root? Both of those directories will work and
should not be accessed from rcS.d, but for good design we don't want to do
One of the problems with using a directory such as /tmp in a way other than
it's usual design under extraordinary circumstances is that people will see
the code in question, not understand the situation in which it was run, and
write other code that runs in multi-user mode which does similar things.
Another problem is that code which is written to run in single-user mode may
get changed to run in multi-user mode. A little thing like insecure
temporary file use in /tmp is not something that a typical sys-admin or
programmer is likely to notice when changing a program to run at a different
> Moreover, I still mean to mount a temporary tmpfs over /tmp, so unless
> you explicitely do a "chmod a+w /tmp", normal user processes will not
> even be able to write to /tmp until the real /tmp is mounted (or if /tmp
> is on /, until the tmpfs is unmounted).
The default for a tmpfs is that the root directory is mode 1777, so if you
don't explicitly remove such access then it's granted. You might want to do
some tests of some of the things you are suggesting.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page