Re: where user temp files should go, env var names

[Peter W <peterw () USA NET>]

At 5:00pm Dec 11, 2000, Thomas Corriher wrote:

> So many of these problems would just disappear if the
> system's default profile had something like "$TMPDIR=$HOME"
> or "$TMPDIR=$HOME/tmp".  Pine is not really the problem.
> Poorly configured systems are the problem.

Yes, I quite agree. Vendors provide apps that default to /tmp in the
absense of $TMP, so they *should* make an effort at safe $TMP dirs.

* Environment Variable Names & Conventions *

First, we've observed that some applications respect $TMP while others
expect $TMPDIR. I would like to suggest that *only* these two variable
names should be used to indicate preferred locations for temporary files.
Please, please do not expect any other similar environment variable names.
It is NOT reasonable to expect users and system admins to accomodate a
whole mess of environment variable names. The value of the environment
variables should be the name of the preferred temp directory, without any
trailing slash, e.g. TMP="/home/foo/tmp" where /home/foo/tmp is a safe dir.

In my opinion, it is reasonable for an application to expect TMP or TMPDIR
to point to safe space. An application that looks for another env var
should be corrected. Does your app look for $TEMP? Either change that, or
at least make it *also* check for TMP or TMPDIR.

* Not Just For Filesystem Security *

Some admins, especially those on syetms that use tmpfs for /tmp, prefer
that users *not* create (large) temporary files in /tmp, to avoid
depletion of swap space. So, while your application may be very careful
about safely using temporary space, admins will appreciate it if your app
also respects TMP and/or TMPDIR so they can direct resource usage better.

> This type of problem appears again, and again, and again; yet
> these problems could be fixed with a one-liner.

* Privacy *

Well, a bit more than a one-liner, as my script has shown; with many
default umasks of 002 or 022, you want a directory with more protection
against snooping. And root's home dir is often "/" which makes ${HOME}/tmp
problematic. ;-) Plus it's nice if the app can assume $TMPDIR's existence.

> I am not even an expert on security matters, but I do know enough
> about the basics to realize that many default configurations are
> incredibly stupid.

* Reasons Why Vendors Don't Use $HOME To Hold $TMP / $TMPDIR *

One of the problems with TMP and TMPDIR is that of filesystem purging.
Many Unix systems clear /tmp on each reboot. Many Linux systems use apps
like Red Hat's 'tmpwatch' to purge shared areas like /tmp of unused files.

I suppose that could be addressed by putting an invocation of 'tmpwatch'
in the profile scripts in /etc/skel so users could disable the cleaning of
${HOME}/tmp if they'd like (or in /etc/profile.d if you want to enforce
the pruning).

Another problem with TMP/TMPDIR in home directory space is that some apps
may need to write big files that are better suited to space like /tmp
which is 1) not backed up and 2) often on fast tmpfs space. Admins
concerned about these issues can make safe temp dirs inside /tmp, with the
caveat that doing so can enable users to monitor the login habits of
others unless more sophisticated coding is done (e.g., reusing temp dirs).

* More Free Code *

I've put together another quick script, for making dirs inside /tmp, which
you can get from my Web space at http://www.tux.org/~peterw/linux/
 bastille-tmpdir.sh.txt         - older: makes persistent dir in $HOME
 bastille-tmpdir-tmp.sh.txt     - new!: makes new dirs inside /tmp

Both are designed to be installed in /etc/profile.d (without the .txt
extension, and set executabe) to protect Bourne shell users on typical
Linux systems.

-Peter