Proposing Fedora Feature for private /tmp and /var/tmp for all systemd services in Fedora 17.

Lennart Poettering mzerqung at 0pointer.de
Tue Nov 8 01:47:02 UTC 2011


On Mon, 07.11.11 16:08, Simo Sorce (simo at redhat.com) wrote:

> On Mon, 2011-11-07 at 15:42 -0500, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 11/07/2011 03:38 PM, Matej Cepl wrote:
> > > Dne 7.11.2011 20:50, Daniel J Walsh napsal(a):
> > >> systemd as of Fedora 16 has the ability to run system services
> > >> with private /tmp and /var/tmp.  I would like to propose that we
> > >> make this the default in Fedora 17, or at least open a bugzilla
> > >> on all system services that we know of that use /tmp and /var/tmp
> > >> to make them use private /tmp and /var/tmp.
> > > 
> > > I am afraid, the proper way how to propose new Feature in Fedora is
> > >  described on http://fedoraproject.org/wiki/Features/Policy .
> > > Throwing it on fedora-devel is I am afraid most likely a waste of
> > > time.
> > > 
> > > Matěj
> > > 
> > 
> > I know I just opened a couple of other features on Fedora 17.  I just
> > wanted to open discussion on this about what would be the best way to
> > do this.
> > 
> > * Make it default in systemd
> > * Open bugzillas on apps that SELinux discovers uses /tmp and ask them
> > to change.
> > * Maybe a bad idea.  Since admins might get confused by different /tmp(s).
> > * Reasonable reasons for service apps to use /tmp.
> 
> Why not simply open bugs to have apps use /var/run/<name> ?

I think in some cases /tmp is preferable over /run, i.e. think
apache where users upload huge files. You don't want that on /run which
always is tmpfs. Having them on /tmp (which doesn't have to be tmpfs and
currently isn't by default) is advisable.

> I did something similar patching samba long ago to not export the
> winbindd pipes in /tmp and sounds cleaner and avoid confusion.
> 
> The main issue with moving /tmp to /var/run or something is if you
> *really* need to allow random users to write in it.

There's $XDG_RUNTIME_DIR for that.

But in general I belive that /run as in "runtime" is different from /tmp
as in "temporary". /run should only include sockets, pid files, shared
memory areas and other communication primitives, i.e. stuff which is
small. /tmp OTOH is something where apache should be able to store big
blobs of data that a user is uploading to a web site.

> Because in that case you risk local DoS if users fill up the space (not
> necessarily out of malice).

There's currently a discussion on lkml on this, regarding introduction
of RLIMIT_TMPFSQUOTA.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the devel mailing list