Re: Tired of /tmp? Here's a proposed solution

[wam () FEDEX COM (William McVey)]

Guido M. Witmond wrote:
> What about removing the CONCEPT of public writable filesystems like /tmp.

I still like the idea of having a /tmp since it is an area which
can be routinely cleaned and users have no expectation that files
would last in the hierarchy from day to day.  Keeping reasonable
quotas and an accessable /tmp allow people to do large disk space
intensive stuff (like compile programs), but not permently consume
the space.

A friend of mine have discussed how setting modes on /tmp in a
slightly unconventional manner can increase the security of the
system.  If instead of having the modes on /tmp allow everyone on
the system to write into it (1777), how about creating a new group
called 'notmp' and setting the modes on /tmp to be 1707 owned by
root and grouped to the 'notmp' group.  You'd then put standard
system daemon ids like 'www', 'nobody', 'daemon', 'ftp', etc in
that group and this would prevent them from scribling onto the
filesystem.  On servers (ie on systems without informed users) this
protection mechanism would give us the ability to have loginids
which could run programs but which would have NO write access to
the filesystem.

You could even go so far as to set particular executables setgid
to the 'notmp' group, and prevent regular users who are running
that app from accessing /tmp.  I think using membership into a
group as the basis for removing privilege is an especially good
idea that often gets overlooked when people think about permissions.

 -- William McVey