[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: noexec mount-option with selinux?



On Friday 12 May 2006 07:46, Marten Lehmann wrote:
> > When you want to change the quotas or set them, run:
> > # setquota username block-soft block-hard inode-soft inode-hard -a
>
> But I'm looking for a clean way to do it without workarounds with selinux!

That's not an SELinux command, that's quota management.

So, if you do *not* want to use SELinux, then why is this thread on this list?  
Or am I misunderstanding what you are saying there?

> The system includes a webserver and when someone uses the fileupload of
> PHP, then the uploaded file will be stored in /tmp.

That is not a good idea.  Instead, either create a separate location on your 
filesystem(s).  It is dangerous to allow any network access of any kind 
to /tmp/.

For that purpose, change the app to upload the files to a directory somewhere 
on the system that has a subdirectory for each user and you can then symlink 
the per-user subdirectories into each user's home directory.  Or, you could 
just have the app upload files into the particular user's home directory.  
Both of these options would be much better (from a security standpoint) than 
what you are currently trying to do.

> So a quota of just 1 
> MB on /tmp for every user is not enough.

Well, 1MB was just a relative number I used as  an example.

> > If the quota limits need to be as strict as your first message indicates,
> > then I'm surprised you haven't already had /tmp/ on a separate
> > filesystem, with separate quotas set.  Additionally, I always split off
> > /tmp/ so *if* it fills, it doesn't "damage" my root filesystem.
>
> Actually, /home is not part of the root-partition

Yes, I understood that.  You asked how to make them share the same quota-space 
and that would require them to be on the same partition.  So, I phrased that 
as an example of having both /home/ and /tmp/ on a common filesystem.  Sorry 
for the confusion, there.

> and /tmp could be a 
> symlink to /home/tmp so both can use the some quota definitions. But how
> can I setup a system-wide policy that disallows to execute files from
> /tmp or /home/tmp?

The best way, as I see it, is to stop trying to use /tmp/ for this.  If the 
reason you are using /tmp/ is because you want old files to be removed 
automatically once they get "stale enough," then create your own cron job 
that runs tmpwatch and clears your upload director(y|ies).  Simple.  More 
secure.  No danger in /tmp/.  Quotas could be applied as you like.
-- 
Lamont R. Peterson <lamont gurulabs com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB  8CB3 F980 6C97 DC0D D409

Attachment: pgpHqIADYFXL2.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]