[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: execute permissions in /tmp

On Mon, Jul 14, 2003 at 01:44:21PM -0400, Phillip Hofmeister wrote:

> On Mon, 14 Jul 2003 at 12:55:38PM -0400, Matt Zimmerman wrote:
> > On Mon, Jul 14, 2003 at 12:23:01PM -0400, bda wrote:
> > > As for the ~/tmp or ~/.tmp commentary, I have no real opinion, but it
> > > seems like it'd be a lot of work to implement. :-)
> > 
> > Most of the work is adding support for the TMPDIR environment variable to
> > programs which do not already support it, and that is actually very easy.
> 
> Probably harder than that...
> What should be done about users that don't have +w to ~?

They use a different directory.  That's what the environment variable is
for, and it's simple to set it differently for different users (for example,
using PAM).

> Many system
> services are set up with home directories to / or /home.
> 
> www-data:x:33:33:www-data:/var/www:/bin/sh
> 
> Unless you are using WebDAV to upload files www-data doesn't need write
> access to /var/www.  Even if you did give it write access, anyone
> surfing your site would be able to access http://host/tmp/ (unless you
> set up another Apache ACL).  The system of a global directory works just
> fine if it is properly secured (with say the GRSecurity patch).

The www-data user's existence is a design flaw.

-- 
 - mdz
Reply to: