Re: /tmp permissions
On Sun, 13 Sep 1998, Nuno Carvalho wrote:
: Hi,
:
: I'de some questions about /tmp directory:
:
: My /tmp directory permissions are:
:
: rwxrwxrwt 2 root root 1024 Sep 13 14:17 tmp
:
: ... meanwhile chmod manual says that "t" permission is to: save program
: text on swap device !
There are many meanings for the t permission (usually referred to as the
sticky bit). Originally the sticky bit was applied to frequently run
programs so theyt would always be hanging around in memory (or at least
in swap).
However, setting the sticky bit on a directory means that only the owner
of a file within that directory may delete it. This solves a thorny
issue with /tmp: the directory must be world writable in order for all
users to write files in it, but write permissions on a directory allow
any user to delete any file, regardless of the file's permissions.
Therefore the sticky bit, when applied to a directory, was interpreted
as a special case. Now any user may create a file im /tmp and have
reasonable assurance that another user will not be able to delete it.
(There are still some exploit problems with /tmp, however).
Any decent UNIX book will have a better explanation of this.
: What this means !? /tmp directory isn't on any swap device !
:
: It's a "good policy" for /tmp directory to have 777 permissions !?
: With such permissions any user could write on that directory until even
: there's no more space on device, rigth !?
Well, if you're worried about that, put /tmp on its own filesystem and
implement quotas. Most of my multiuser systems have many filesystems,
with different quotas in place:
brahe:~ $ cat /etc/fstab
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump>
<pass>
/dev/sda1 / ext2 defaults,errors=remount-ro 0
1
/dev/sdb7 none swap sw,pri=1
/dev/sdb8 none swap sw,pri=1
proc /proc proc defaults
/dev/sda4 /usr ext2 defaults 0 2
/dev/sdb2 /home ext2 defaults,nodev,noexec,nosuid,usrquota 0 2
/dev/sda3 /var ext2 defaults 0 2
/dev/sdb3 /tmp ext2 defaults,usrquota=/var/state/quotas/tmp.quota 0 2
/dev/sda5 /var/log ext2 defaults 0 2
/dev/sdb5 /var/tmp ext2 defaults,usrquota=/var/state/quotas/vtmp.quota 0
2
/dev/sda6 /var/spool/mail ext2
defaults,usrquota=/var/state/quotas/mail.quota 0 2
/dev/sdb6 /var/spool/mqueue ext2 defaults 0 2
/dev/sda7 /var/spool/pop ext2
defaults,usrquota=/var/state/quotas/pop.quota 0 2
Some lines are broken, but you get the idea.
A typical user's quota looks like this:
brahe:~ $ sudo edquota webgod
Quotas for user webgod:
/dev/sdb2: blocks in use: 3529, limits (soft = 5120, hard = 7680)
inodes in use: 206, limits (soft = 1280, hard = 1920)
/dev/sdb3: blocks in use: 0, limits (soft = 49152, hard = 49152)
inodes in use: 0, limits (soft = 12288, hard = 12288)
/dev/sdb5: blocks in use: 0, limits (soft = 49152, hard = 49152)
inodes in use: 0, limits (soft = 12288, hard = 12288)
/dev/sda6: blocks in use: 0, limits (soft = 10240, hard = 15360)
inodes in use: 1, limits (soft = 5, hard = 5)
/dev/sda7: blocks in use: 0, limits (soft = 25600, hard = 25600)
inodes in use: 0, limits (soft = 5, hard = 5)
Our users get 5 MB home dirs, 10 MB mail spools, and at least three of
them have to collaborate to fill /tmp or /var/tmp (each filesystem is
128 MB). This makes it easier to kick idiots off the system.
Aileen Frisch's excellent O'Reilly book does a good job explaining all
this stuff, and many other aspects of UNIX administration.
--
Nathan Norman
MidcoNet 410 South Phillips Avenue Sioux Falls, SD
mailto:finn@midco.net http://www.midco.net
finger finn@home.midco.net for PGP Key: (0xA33B86E9)
Reply to: