On Sat, Mar 15, 2025 at 01:25:10PM +0100, Paul Slootman wrote:

> > having libpam-tmpdir installed results in PAM creating a 
> > /tmp/user/<numeric-user-id-here> directory for every user when they start a 
> > session, setting TMP and TMPDIR to this directory.
> > 
> > Long-running processes such as web applications started e.g. via sudo -u 
> > someuser may end up with their TMP set to /tmp/user/<id-of-someuser>, which 
> > is desirable because it makes /tmp attacks against them harder.
> > 
> > However, if they don't use their individual tmp directories frequently, 
> > tmpreaper with its default settings may delete them, breaking the 
> > application.
> > 
> > I suggest that the default configuration be changed thusly:
> > 
> > TMPREAPER_PROTECT_EXTRA='/tmp/user/[0-9]*'
> > TMPREAPER_DIRS='/tmp/. /tmp/user/*/.'
> 
> TMPREAPER_DIRS is the list of directories to search for old files, so
> only the TMPREAPER_PROTECT_EXTRA list is what you want.

Even if /tmp/user (or a particular subdir under /tmp/user) is a mountpoint?

And won't the PROTECT_EXTRA also apply to the contents of /tmp/user/[0-9]*/?

If yes and no respectively, then I'm of courseOK with just setting 
TMPREAPER_PROTECT_EXTRA.

AndrĂ¡s

-- 
        Early bird gets the worm, but the second mouse gets the cheese.

Reply via email to