Diff: PerUserTempDirs

Differences between current version and predecessor to the previous major change of PerUserTempDirs.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 13 Last edited on Wednesday, February 7, 2007 10:29:21 pm by DanielLawson
Older page: version 11 Last edited on Tuesday, November 16, 2004 11:57:43 pm by StuartYeates Revert
@@ -4,27 +4,31 @@
 * It helps to protect against abusers with exploited non-root services from leveraging a tmpfile exploit to gain a users account. 
 * It reduces the effects of /tmp becoming large and therefore slow to search. 
 The first part of the script goes in /etc/skel/.bash_profile before you create user accounts: 
  # Set up each users own temp directory (kinda) 
  mkdir -p /tmp/$USER/create.$$ 2>/dev/null 
- if [ [ -O /tmp/$USER ]; then 
+ if [ -O /tmp/$USER ]; then 
  TMPDIR=$(mktemp -d /tmp/${USER}.XXXXXX) 
  touch $TMPDIR/.bash.$$ 
- [ [ -d $TMPDIR/create.$$ ] && rmdir $TMPDIR/create.$$ 
+ [ -d $TMPDIR/create.$$ ] && rmdir $TMPDIR/create.$$ 
 Then in .bash_logout: 
  rm $TMPDIR/.bash.$$ 
  rmdir $TMPDIR 2>/dev/null 
 This means that it will remove the directory when the last shell is closed and there are no more files in the directory. 
 The reason for creating then deleting $TMPDIR/create.$$, as some may wonder, is to make the mkdir an atomic operation that should stop any shell that is logging out as you log in, from removing $TMPDIR before a file is created within it ($TMPDIR/.bash.$$) 
@@ -40,21 +44,25 @@
 No no no no. Don't have the users fiddling things. That's prone to problems, since you need to grant them permissions to be able to do that. The right way is to have the Hand Of God set things up for the users in a directory structure they have no permissions in. Basic setup: 
  mkdir -m 711 /tmp-safe /tmp-safe/user 
  mkdir -m 1777 /tmp-safe/global 
  chown root.root /tmp-safe /tmp-safe/user /tmp-safe/global 
  ln -s /tmp /tmp-safe/global 
 Now once you have that in place, invoke the following script instead of login(1): 
  # FIXME: assumes $1 == username, but login(1) takes options, so parse with getopts 
  mkdir -m 700 /tmp-safe/user/"$1" /tmp/"$1" 
  chown "$1": /tmp-safe/user/"$1" /tmp/"$1" 
  mount --bind /tmp-safe/user/"$1" /tmp/"$1" || exit 1 
  exec /bin/login "$@" 
 Now /tmp and /tmp/$USER have nothing whatsoever to do with each other, and since the latter is merely a mountpoint, whatever permissions a preexisting directory at that location might have had doesn't matter in the slightest. You can have a process cd'ed to /tmp/$USER sitting in the background as long as the user is logged in. If unmounting the bind succeeds, you can delete /tmp-safe/user/$USER 
 Personally I might leave out the /tmp/$USER thing entirely and just point TMPDIR to /tmp-safe/user/$USER. (Do the simplest thing that could possibly work.) You'll have to have cron periodically vacuum the place then of course.