Re: /var/run and scripts
On Thu, 4 Sep 2003 05:45, Marco d'Itri wrote: On Sep 03, Russell Coker [EMAIL PROTECTED] wrote: Given that /var/tmp is bad for security, what would you suggest? It's bad only if your program is broken. And safe creation of temp files is not hard... Given the history of people getting it wrong I find it difficult to agree with you. So I think that the correct location is /tmp or /var/tmp if the script is temporary or /var/lib/something if it's not. The general opinion seems to be that /var/run is OK, and there is not enough weight of opinion against it to ask people to change existing code. So I'll have to tolerate /var/run. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: /var/run and scripts
Matt Zimmerman: noexec /tmp and /var/tmp seem to create far more problems than they solve. I've run with /tmp set to noexec for quite some time on some machines, and it tend to work quite well. The only thing that seems to fail occasionally is debconf, despite that I point TMPDIR to a directory that is executable. But those machines all run stable, so it might have been fixed since. -- \\// Peter - http://www.softwolves.pp.se/ I do not read or respond to mail with HTML attachments.
Re: /var/run and scripts
Pierre THIERRY dijo [Wed, Sep 03, 2003 at 03:25:18AM +0200]: If not where should it be? What about /usr/local/package or /var/opt/package? The former seems to be the best one, to me... /usr should be mountable read-only... I would go for /var/opt or -if it is a disposable script- /tmp or /var/tmp (of course, excercising enough care) -- Gunnar Wolf - [EMAIL PROTECTED] - (+52-55)5630-9700 ext. 1366 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF pgpISXYIOOxwL.pgp Description: PGP signature
Re: /var/run and scripts
On Tue, 2003-09-02 at 15:34, Russell Coker wrote: The FHS is not clear on whether it is OK to put a script in /var/run. If a program wants to create a script and then run it, where should it be placed? Red Hat has apmd creating such scripts under /var/run. Is this correct? I know of no prohibition against executable scripts in /var/run. Why should there be such a prohibition? Unless an answer to this turns up, go ahead and use /var/run . -- Thomas Hood
Re: /var/run and scripts
On Tue, Sep 02, 2003 at 11:49:43PM -0500, Gunnar Wolf wrote: /usr should be mountable read-only... I would go for /var/opt or -if it is a disposable script- /tmp or /var/tmp (of course, excercising enough care) On my system I try to have /var mounted noexec, and /usr readonly. Both breaks of course dpkg runs. But in normal, non system maintenance mode, this works fine. I would like to preserve that, especially /tmp and /var/tmp i would not like to see executable. Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD [EMAIL PROTECTED] +497257930613 BE5-RIPE (OO) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Re: /var/run and scripts
On Wed, Sep 03, 2003 at 11:31:28AM +1000, Russell Coker wrote: /var/opt sounds reasonable. What Steve said. Also, /var/lib is the default place for dynamically created stuff that doesn't have somewhere else to go. Cheers, aj -- Anthony Towns [EMAIL PROTECTED] http://azure.humbug.org.au/~aj/ I don't speak for anyone save myself. GPG signed mail preferred. ``Is this some kind of psych test? Am I getting paid for this?''
Re: /var/run and scripts
On Wed, 3 Sep 2003 12:00, Steve Langasek wrote: On Wed, Sep 03, 2003 at 11:31:28AM +1000, Russell Coker wrote: On Wed, 3 Sep 2003 11:25, Pierre THIERRY wrote: If not where should it be? What about /usr/local/package or /var/opt/package? The former seems to be the best one, to me... /usr/local is not good for files that will be created automatically from programs that are part of a package, it should be reserved for files created by the administrator. /var/opt sounds reasonable. The /var/opt directory corresponds to /opt, and is not available for Debian package use. Given that /var/tmp is bad for security, what would you suggest? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: /var/run and scripts
Anthony Towns, on 2003-09-03, 14:26, you wrote: What Steve said. Also, /var/lib is the default place for dynamically created stuff that doesn't have somewhere else to go. What about /var/lib/package/bin (kind of qmail-style)? Joerg -- Joerg joergland Wendland GPG: 51CF8417 FP: 79C0 7671 AFC7 315E 657A F318 57A3 7FBD 51CF 8417 pgpzVpBuWFK6N.pgp Description: PGP signature
Re: /var/run and scripts
Anthony Towns, on 2003-09-03, 14:26, you wrote: What Steve said. Also, /var/lib is the default place for dynamically created stuff that doesn't have somewhere else to go. If the script needs to be preserved across reboot then put it in /var/lib/pckg/ ; otherwise put it in /var/run/pckg/ . -- Thomas Hood
Re: /var/run and scripts
On Wed, Sep 03, 2003 at 03:20:49PM +1000, Russell Coker wrote: On Wed, 3 Sep 2003 12:00, Steve Langasek wrote: On Wed, Sep 03, 2003 at 11:31:28AM +1000, Russell Coker wrote: On Wed, 3 Sep 2003 11:25, Pierre THIERRY wrote: If not where should it be? What about /usr/local/package or /var/opt/package? The former seems to be the best one, to me... /usr/local is not good for files that will be created automatically from programs that are part of a package, it should be reserved for files created by the administrator. /var/opt sounds reasonable. The /var/opt directory corresponds to /opt, and is not available for Debian package use. Given that /var/tmp is bad for security, what would you suggest? Either /var/run or /var/lib seem suitable, depending on the persistence of the script in question. -- Steve Langasek postmodern programmer pgpk2Qg1QPyum.pgp Description: PGP signature
Re: /var/run and scripts
On Tue, Sep 02, 2003 at 11:34:02PM +1000, Russell Coker wrote: The FHS is not clear on whether it is OK to put a script in /var/run. If a program wants to create a script and then run it, where should it be placed? Red Hat has apmd creating such scripts under /var/run. Is this correct? If not where should it be? Creating a script dynamically? I use /tmp. -- - mdz
Re: /var/run and scripts
On Wed, Sep 03, 2003 at 07:34:07AM +0200, Bernd Eckenfels wrote: I would like to preserve that, especially /tmp and /var/tmp i would not like to see executable. noexec /tmp and /var/tmp seem to create far more problems than they solve. -- - mdz
Re: /var/run and scripts
Russell Coker wrote: The FHS is not clear on whether it is OK to put a script in /var/run. If a program wants to create a script and then run it, where should it be placed? Red Hat has apmd creating such scripts under /var/run. Is this correct? If not where should it be? One example of just such a program is hotplug's usb.agent, which uses temporary scripts in /var/run/usb that are created by scripts in /etc/hotplug/usb. The temporary script is run when the usb device is removed. -- see shy jo pgpXDx3UmgdGp.pgp Description: PGP signature
Re: /var/run and scripts
On Sep 03, Russell Coker [EMAIL PROTECTED] wrote: Given that /var/tmp is bad for security, what would you suggest? It's bad only if your program is broken. And safe creation of temp files is not hard... So I think that the correct location is /tmp or /var/tmp if the script is temporary or /var/lib/something if it's not. -- ciao, | Marco | [1621 ritGT1UsnteCE]
Re: /var/run and scripts
If not where should it be? What about /usr/local/package or /var/opt/package? The former seems to be the best one, to me... Quickly, le Moine Fou -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A pgprcp3ynRiSh.pgp Description: PGP signature
Re: /var/run and scripts
On Wed, 3 Sep 2003 11:25, Pierre THIERRY wrote: If not where should it be? What about /usr/local/package or /var/opt/package? The former seems to be the best one, to me... /usr/local is not good for files that will be created automatically from programs that are part of a package, it should be reserved for files created by the administrator. /var/opt sounds reasonable. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: /var/run and scripts
On Wed, Sep 03, 2003 at 11:31:28AM +1000, Russell Coker wrote: On Wed, 3 Sep 2003 11:25, Pierre THIERRY wrote: If not where should it be? What about /usr/local/package or /var/opt/package? The former seems to be the best one, to me... /usr/local is not good for files that will be created automatically from programs that are part of a package, it should be reserved for files created by the administrator. /var/opt sounds reasonable. The /var/opt directory corresponds to /opt, and is not available for Debian package use. -- Steve Langasek postmodern programmer pgppLdvU877iy.pgp Description: PGP signature