On Sat, May 26, 2012 at 09:29:30PM +0700, Ivan Shmakov wrote: > … But that makes me recall a solution to both the /tmp and quota > issues I've seen somewhere: use ~/tmp/ instead of /tmp. This > way, user's temporary files will be subject to exactly the same > limits as all the other his or her files. > > (Still, we may need to identify the software that ignores TMPDIR > and tries to write to /tmp unconditionally.) > > > (Snark aside, does tmpfs support quotas yet/will it ever?)
These days I'd argue that multi-user is such a corner case that it's not worth optimizing for it as far as defaults are concerned. If you're trying to run a secure multi-user system, you need to be an expert system administrator, keep up with all security patches, and even then, good luck to you. (The reality is that these days, no matter what OS you're talking about, shell == root. And that's probably even true on the most unusably locked down SELinux system.) What I'd do in that situation is to use per-user /tmp directories, where each user would get its own mount namespace, and so each user would have its own /tmp --- either a bind-mounted $(HOME)/tmp to /tmp if you want to enforce quotas that way, or a separate tmpfs for each user --- and then you can specify the size of the per-user tmpfs mounted on each user's version of /tmp. Cheers, - Ted -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120526183215.ga11...@thunk.org