Stefan Sperling <s...@stsp.name> wrote: > On Tue, Apr 07, 2020 at 09:37:02AM -0600, Theo de Raadt wrote: > > > The idea was to have /var/www/tmp created by default, but with > > > www:www ownership. > > > Create the directory. Now as a user, completely fill it. > > The proposal is to create tmp with www:www ownership, writable only for > that user, not like the old /var/tmp which was writable by anyone.
That's not true; the diff created it mode 1777. A smaller secondary concern is if you can convince software using this space, from remote, to hog the space too much, and/or lose track of files in there. Which would also create the fallout problems of "/var is full". It's a matter of how other /var-using software misbehaves or fails in those circumstances. These concerns have been ignored too long.