On Tue 22 Aug 2023, Andras Korn wrote: > > having libpam-tmpdir installed results in PAM creating a > /tmp/user/<numeric-user-id-here> directory for every user when they start a > session, setting TMP and TMPDIR to this directory. > > Long-running processes such as web applications started e.g. via sudo -u > someuser may end up with their TMP set to /tmp/user/<id-of-someuser>, which > is desirable because it makes /tmp attacks against them harder. > > However, if they don't use their individual tmp directories frequently, > tmpreaper with its default settings may delete them, breaking the application. > > I suggest that the default configuration be changed thusly: > > TMPREAPER_PROTECT_EXTRA='/tmp/user/[0-9]*' > TMPREAPER_DIRS='/tmp/. /tmp/user/*/.'
TMPREAPER_DIRS is the list of directories to search for old files, so only the TMPREAPER_PROTECT_EXTRA list is what you want. Thanks, Paul
