From owner-freebsd-security Tue Feb 26 15:25:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 8148037B402 for ; Tue, 26 Feb 2002 15:25:29 -0800 (PST) Received: (qmail 46062 invoked by uid 1001); 26 Feb 2002 23:24:34 -0000 Date: Tue, 26 Feb 2002 18:24:34 -0500 From: "Peter C. Lai" To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Third /tmp location ? (and maybe a fourth too) Message-ID: <20020226182434.B45921@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020226095708.Y20347-100000@roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020226095708.Y20347-100000@roble.com>; from marquis@roble.com on Tue, Feb 26, 2002 at 10:12:04AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 26, 2002 at 10:12:04AM -0800, Roger Marquis wrote: > Bill Vermillion wrote: > > > From: Dag-Erling Smorgrav > > > > > Bill Vermillion writes: > > > > > Is the /usr/tmp really used for somethink usefull ? > > > > I would think man 7 hier will answer that for you in a hurry. > > > > Yes it really is usefull. > > > > > Bzzzt. FreeBSD has never had /usr/tmp, and all software that expects > > > /usr/tmp has been changed to use /var/tmp instead. > > > > And I set /usr/tmp for many things because there is no reason that > > I can see to have var so big that it will hold large files I may > > have to edit. I put /usr/tmp in almost all my .exrc files > > as too many times I've gotten 'file system full'. > > File system full errors are typically caused by unnecessary > partitioning. You rarely see them on single-partition systems. > Creating symlinks or additional tmp directories to avoid the > inevitable drawback of excess partitions is two bads, which don't > sum to a good. Both also violate the KIS principle. > Unfortunately, as demonstrated in another reply, the optimal partition scheme (/, /usr, /var) is preferred over single partition schemes. However, it is unable to avoid this problem. Unless you are running a news server or heavy mail server, /var doesn't need to be very big (and you are wasting space by making it so). I have a 50mb /var partition, but I wouldn't be able to say, pkg_add StarOffice or something and have it fit like that. Perhaps use of growfs(8) should be discussed? (off this list of course :) > > As I said "Yes it really is usefull". User applications really > > should probably go in /usr/tmp if you have a lot of users. > > I do believe you're serious!? A better solution, if you *really* > need a user+shared application space, would be /usr/local/${user}/... > but even that's a hack. How about `mkdir /usr/local/$app ; chown > $user /usr/local/app ; ln -s /usr/local/$app/bin/$app /usr/local/bin`? > Aren't ./tmp directories usually set sticky so that Thus, everyone can create or write to their own file, but they can not touch (in the literal sense) other people's files in that directory. To me, to replicate your scheme, one merely needs to chmod 0770 (or 0660 only) stuff that gets put in there... > WRT security, shared user application directories, whether /var/tmp > or /cgi-bin, should be avoided where possible. This is what > read-only permissions and root-only access are all about. Read above... > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message