On Thu, Apr 16, 2015 at 9:25 AM, Matthew Miller <mattdm@xxxxxxxxxx> wrote:
> On Thu, Apr 16, 2015 at 07:44:21AM -0500, Les Mikesell wrote:
>> > The issue here really isn't systemd or the PrivateTmp feature but the
>> > fact that some applications don't properly distinguish between temporary
>> > files and data files.
>> Maybe, but if an application wants a private directory for temporary
>> files, shouldn't it create and manage that directory itself instead of
>> being second-guessed by the default configuration of the OS?
>
> This one I have a clear answer for: no. It's the distribution's job to
> help regularize application practices, especially when they don't
> follow good practices for security.
Really? I would have expected that it was the distribution's job to
not surprise coders or administrators. Particularly for 'enterprise'
operating systems where the point is to keep the same application
working the same way, often for the life of a company.
> Ideally, we work with upstreams on
> this, but sometimes where it's just a matter of configuration, we
> choose to exercise options to make everything fit together.
I typically have many web 'applications' running on the same system
under the same apache instance, distinguished only by the top level
directory in the url. Even if it made sense to someone to surprise
these applications by remapping the filesystem for some reason, why
would it make sense for them to share what the system thinks it is
making private?
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
