-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/07/2011 08:48 PM, Lennart Poettering wrote: > On Mon, 07.11.11 19:15, Chris Adams (cmadams@xxxxxxxxxx) wrote: > >> Once upon a time, Lennart Poettering <mzerqung@xxxxxxxxxxx> >> said: >>> Yes, since they are created as subdirectories of the real / >>> with mkdtemp() and thus can be found there like any other >>> directory if you are running in the main namespaces. >>> >>> No, since there's currently no sane way to figure out the >>> private /tmp directory of a running service. i.e. there's >>> currently no sane way to figure out which directory in /tmp >>> appears as /tmp to avahi-daemon.service. So, while you see all >>> the subdirs, you'll have a hard time to figure out which one is >>> which one. >> >> So are they subdirectories of / or /tmp? > > The latter. > >> How do standard tools like fuser and lsof see them? > > If run on the main namespace all they see is that the files are in > some randomized subdir of /tmp, instead of /tmp itself. > >> I'm thinking of cases like "daemon gets cracked", where >> script-kiddie starts downloading attempted rootkits into /tmp, or >> where luser does something that starts filling up the disk, etc. >> If fuser/lsof can tell me correctly which process is accessing >> that directory, that's probably good enough. > > Yes, this works as it always did. We made sure that the behaviour > change is as minimal as possible and all the accounting and > discoverability is unchanged. > > Lennart > One suggestion would be to create a directory in /tmp at early boot. /tmp/.systemd Which would only have root only access. ls -ld /tmp/.systemd/ drwx------. 2 root root 40 Nov 8 09:04 /tmp/.systemd/ When systemd boots before it starts any other processes it could check for the existance of this directory and if it has any permissions that differ, destroy it and recreate it. Then it could create the services directories underneath it with well known names. And bind mount those directories over /tmp. Then it would be easier for the administrators to find the /tmp directories. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk65N64ACgkQrlYvE4MpobNkzgCfX+BlELexPQhiRUQhV27Ni2Uo UnAAn1MrpVAWKX6uqEgfBQCSyenpmzBY =38FG -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel