1 |
On Friday 03 January 2003 23:42, Kevin N. Carpenter wrote: |
2 |
> I've been playing around with using tmpfs for /tmp and had it mounted |
3 |
> with my standard "noexec,nodev,nosuid" anti-hack security options. This |
4 |
> works fine for VI or other normal tools. |
5 |
> |
6 |
> I wanted Portage to use it as well, to symbolically linked /var/tmp to |
7 |
> /tmp. |
8 |
> |
9 |
> That broke emerge. The "noexec" option prevents any builds from |
10 |
> working. That made me check one of my unmodified gentoo systems where I |
11 |
> spotted that /var/tmp was world read/execute. That's a security problem. |
12 |
> |
13 |
> Any reason that /var/tmp can't be root read/execute only? |
14 |
> |
15 |
> Kevin C. |
16 |
> |
17 |
|
18 |
It's a standard temporary directory so yes. It should be open for the public. |
19 |
This doesn't hold for /var/tmp/portage though. You also might want to use an |
20 |
extra tmpfs or a bind mount or a change in make.conf as emerge has some |
21 |
issues with symlinked paths. |
22 |
|
23 |
Paul |
24 |
|
25 |
-- |
26 |
Paul de Vrieze |
27 |
Junior Researcher |
28 |
Mail: pauldv@××××××.nl |
29 |
Homepage: http://www.devrieze.net |