-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/20/2010 08:13 AM, Daniel J Walsh wrote: > On 10/20/2010 07:52 AM, Richard W.M. Jones wrote: >> On Tue, Oct 19, 2010 at 04:50:43PM -0400, seth vidal wrote: >>> On Tue, 2010-10-19 at 15:40 -0500, Chris Adams wrote: >>>> Once upon a time, James Antill <james@xxxxxxxxxxxxxxxxx> said: >>>>> Putting my really old sysadmin hat on, one other reason for >>>>> having /tmp, /var and /usr as separate mount points was so that you >>>>> could allocate different disk space to each (and they couldn't break >>>>> each other) ... do we have other solutions for that? >>>> >>>> On a multi-user server (and that includes web access like PHP or CGI), >>>> you really don't want user-writable directories on a filesystem with >>>> anything important, especially security-sensitive things like setuid >>>> binaries. Hard-link tricks are evil. I run with a separate /tmp >>>> (usually tmpfs now) and bind mount it to /var/tmp as well. >>> >>> Not to get too far off into the weeds but Polyinstantianed tmpdir >>> (pam_namespace) are a good idea here. Everyone gets their on /tmp >>> and /var/tmp and no one else can see them. > >> +1 ... we should have had this a long time ago. > >> Rich. > > I have been trying to get system processes to stop using /tmp for years. > > http://danwalsh.livejournal.com/11467.html > > As some one who lives with polyinstatiated namespace /tmp, The only > problem I know of now is handing of kerberos tickets. Whenever a system > process (root) needs to communicate with a user via /tmp. namespace > /tmp breaks it. sssd can not create kerberos tickets in my /tmp and > gssd can not find my kerberos tickets in /tmp. I believe the solution > to both is to move the tickets to be managed by sssd and leave /tmp to > users. > > BTW, X has solved this problem a couple of years ago by using virtual > namespace for its sockets. https://fedorahosted.org/sssd/ticket/652 has been opened upstream with SSSD to add this functionality. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky+52gACgkQeiVVYja6o6OS4gCfb3UpMz3sEUmKg6/t6YGiCYqC 3lMAoKQRiHRbnINBuM4nKxXshnrpTzOh =sJcU -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
