On Friday 12 May 2006 07:46, Marten Lehmann wrote:
> When you want to change the quotas or set them, run:
> # setquota username block-soft block-hard inode-soft inode-hard -a
But I'm looking for a clean way to do it without workarounds with selinux!
That's not an SELinux command, that's quota management.
So, if you do *not* want to use SELinux, then why is this thread on this list?
Or am I misunderstanding what you are saying there?
The system includes a webserver and when someone uses the fileupload
PHP, then the uploaded file will be stored in /tmp.
That is not a good idea. Instead, either create a separate location on your
filesystem(s). It is dangerous to allow any network access of any kind
For that purpose, change the app to upload the files to a directory somewhere
on the system that has a subdirectory for each user and you can then symlink
the per-user subdirectories into each user's home directory. Or, you could
just have the app upload files into the particular user's home directory.
Both of these options would be much better (from a security standpoint) than
what you are currently trying to do.
So a quota of just 1
MB on /tmp for every user is not enough.
Well, 1MB was just a relative number I used as an example.
> If the quota limits need to be as strict as your first message
> then I'm surprised you haven't already had /tmp/ on a separate
> filesystem, with separate quotas set. Additionally, I always split off
> /tmp/ so *if* it fills, it doesn't "damage" my root filesystem.
Actually, /home is not part of the root-partition
Yes, I understood that. You asked how to make them share the same quota-space
and that would require them to be on the same partition. So, I phrased that
as an example of having both /home/ and /tmp/ on a common filesystem. Sorry
for the confusion, there.
and /tmp could be a
symlink to /home/tmp so both can use the some quota definitions. But how
can I setup a system-wide policy that disallows to execute files from
/tmp or /home/tmp?
The best way, as I see it, is to stop trying to use /tmp/ for this. If the
reason you are using /tmp/ is because you want old files to be removed
automatically once they get "stale enough," then create your own cron job
that runs tmpwatch and clears your upload director(y|ies). Simple. More
secure. No danger in /tmp/. Quotas could be applied as you like.
Lamont R. Peterson <lamont(a)gurulabs.com>
Guru Labs, L.C. [ http://www.GuruLabs.com/
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB 8CB3 F980 6C97 DC0D D409