On Friday 12 May 2006 07:46, Marten Lehmann wrote: > > When you want to change the quotas or set them, run: > > # setquota username block-soft block-hard inode-soft inode-hard -a > > But I'm looking for a clean way to do it without workarounds with selinux! That's not an SELinux command, that's quota management. So, if you do *not* want to use SELinux, then why is this thread on this list? Or am I misunderstanding what you are saying there? > The system includes a webserver and when someone uses the fileupload of > PHP, then the uploaded file will be stored in /tmp. That is not a good idea. Instead, either create a separate location on your filesystem(s). It is dangerous to allow any network access of any kind to /tmp/. For that purpose, change the app to upload the files to a directory somewhere on the system that has a subdirectory for each user and you can then symlink the per-user subdirectories into each user's home directory. Or, you could just have the app upload files into the particular user's home directory. Both of these options would be much better (from a security standpoint) than what you are currently trying to do. > So a quota of just 1 > MB on /tmp for every user is not enough. Well, 1MB was just a relative number I used as an example. > > If the quota limits need to be as strict as your first message indicates, > > then I'm surprised you haven't already had /tmp/ on a separate > > filesystem, with separate quotas set. Additionally, I always split off > > /tmp/ so *if* it fills, it doesn't "damage" my root filesystem. > > Actually, /home is not part of the root-partition Yes, I understood that. You asked how to make them share the same quota-space and that would require them to be on the same partition. So, I phrased that as an example of having both /home/ and /tmp/ on a common filesystem. Sorry for the confusion, there. > and /tmp could be a > symlink to /home/tmp so both can use the some quota definitions. But how > can I setup a system-wide policy that disallows to execute files from > /tmp or /home/tmp? The best way, as I see it, is to stop trying to use /tmp/ for this. If the reason you are using /tmp/ is because you want old files to be removed automatically once they get "stale enough," then create your own cron job that runs tmpwatch and clears your upload director(y|ies). Simple. More secure. No danger in /tmp/. Quotas could be applied as you like. -- Lamont R. Peterson <lamont@xxxxxxxxxxxx> Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ] GPG Key fingerprint: F98C E31A 5C4C 834A BCAB 8CB3 F980 6C97 DC0D D409
Attachment:
pgpG5IoVWW2bB.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
