On Sat, Mar 15, 2025 at 01:25:10PM +0100, Paul Slootman wrote:
> > having libpam-tmpdir installed results in PAM creating a
> > /tmp/user/<numeric-user-id-here> directory for every user when they start a
> > session, setting TMP and TMPDIR to this directory.
> >
> > Long-running processes such as web applications started e.g. via sudo -u
> > someuser may end up with their TMP set to /tmp/user/<id-of-someuser>, which
> > is desirable because it makes /tmp attacks against them harder.
> >
> > However, if they don't use their individual tmp directories frequently,
> > tmpreaper with its default settings may delete them, breaking the
> > application.
> >
> > I suggest that the default configuration be changed thusly:
> >
> > TMPREAPER_PROTECT_EXTRA='/tmp/user/[0-9]*'
> > TMPREAPER_DIRS='/tmp/. /tmp/user/*/.'
>
> TMPREAPER_DIRS is the list of directories to search for old files, so
> only the TMPREAPER_PROTECT_EXTRA list is what you want.
Even if /tmp/user (or a particular subdir under /tmp/user) is a mountpoint?
And won't the PROTECT_EXTRA also apply to the contents of /tmp/user/[0-9]*/?
If yes and no respectively, then I'm of courseOK with just setting
TMPREAPER_PROTECT_EXTRA.
AndrĂ¡s
--
Early bird gets the worm, but the second mouse gets the cheese.