Hacker News new | past | comments | ask | show | jobs | submit login

> The fix, way back when, should have been for login(8) to create a per-user temporary directory in a sensible place before it drops privilege, and set $TMPDIR so the user’s shell and child processes can find it.

Something like

    tmpdir := "/tmp/${USERNAME}"
    loop:
        rmdir(tmpdir, recurse=true)
        while not mkdir(tmpdir, 0o700, must-create=true)
    chown(tmpdir, user=$USERNAME, group=$USERGROUP)
    export("TMPDIR", tmpdir)
with /tmp having root:root owner with 0o775 permissions on it? Yeah, would've been nice.



MacOS does something like this. Not by username, but through /private, which is a private mount, and then /tmp is linked to /private/tmp, as are /var and /etc.


You're right that macOS has per-user temp (and cache) dirs under /private/var/folders/ (since 10.5), but it still has traditional shared /tmp (via the /private/tmp symlink) since not everything respects the per-user temp dir.

https://magnusviri.com/what-is-var-folders.html

That's not the reason for /private though. Rather, /private is a holdover from NeXTSTEP days which could mount the OS via NFS (NetBoot), and where /private was local to the machine:

"Each NetBoot client will share the server's root file system, but there are several administrative files (such as the NetInfo database, log files, and the swapfile) that must be unique to each client. The server must have a separate directory tree for each client, which the client mounts on its own /private directory during startup. This lets a client keep its own files separate from those of other clients."

https://www.nextcomputers.org/files/manuals/nsa/13_NetBoot.h...


Thanks for that first link, explained some stuff I've been curious about


Why not both, like Windows?

$HOME/.tmp for user operations and /tmp for system operations?

EDIT: I see from other posters it can be done. Why the heck isn't this the default?!


IMO even a home-level, per-user tmp directory isn't ideal (though it is better). In a single-user environment, where malware is the biggest concern in current times, what difference does it make if it's a process running under a different user or one that is running under your current user that is attacking you?

In other words, for many systems, a home-level temp directory is virtually the same as /tmp anyway since other than system daemons, all applications are being started as a single user anyway.

And that might be a security regression. For servers you're spinning up most services at bootup and those should either be running fully sandboxed from each other (containerization) or at least as separate system users.

But malware doesn't necessarily need root, or a daemon process user id to inflict harm if it's running as the human user's id and all temp files are in $HOME/.tmp.

What you really want is transient application-specific disk storage that is isolated to the running process and protected, so that any malware that tries to attack another running application's temp files can't since they don't have permission even when both processes are running under the same user id.

At that point malware requires privilege escalation to root first to be able to attack temp files. And again, if we're talking about a server, you're better off running your services in sandboxes when you can because then even root privilege escalation limits the blast radius.


> In a single-user environment, where malware is the biggest concern in current times, what difference does it make if it's a process running under a different user or one that is running under your current user that is attacking you?

In these systems, the responsibility passes to EDRs or similar. But neither a $HOME/.tmp or /tmp matter in these scenarios. _Shared_ systems are where the concept of $HOME/.tmp might be more interesting.


> In a single-user environment, where malware is the biggest concern in current times, what difference does it make if it's a process running under a different user or one that is running under your current user that is attacking you?

Very true, and this is a real weakness of the UNIX (and Windows, even worse!) style security model in the modern environment. Android/iOS do a lot better.


> Android/iOS do a lot better.

They would if they were designed with the user's security in mind, instead of Google's/Apple's control.

But I disagree, they don't do better at all. Any software that wants to get access to everything just needs to insist.


Check pledge/unveil under OpenBSD. You get isolated software yet with freedoms.


I've recently packed some Linux software in flatpak. It's surprisingly good.

Not as good as a real capability-based access control, but quite good compared to the other things that are usable on Linux.


Why are capabilities restrictions not the norm when the concept is so old and seemingly so sound?


Linux doesn't have a good capability system.

And no good system makes it into Linux because it has a huge, well supported one, and some 3 other candidates pushing to get there already.


So something crummy but usable-enough for experts (SELinux?) worse-is-better'd its way onto the Linux scene, and now it has matured enough that on the one hand it can't be displaced but on the other its model is ossified and can't be untangled or simplified. Makes sense.

I love Linux and many of the fruits of its messy evolution, but such fruits are certainly not all equally delicious. :(


They're really annoying to use.

Also the "UNIX ideal" is composable tools, which doesn't combine very well with any kind of sandboxing.


The thing about capabilities is that they compose very well.


"Modern" Windows apps actually have a sandbox (which includes a private temporary folder), and require permissions to access pretty much anything outside. This is all implemented in terms of the existing Win32 security model, fundamentally.

In principle, there's nothing precluding e.g. having a separate user per app on Linux, either...


I'm guessing, but I would think that the idea is to have all the junk in one place so that it can be safely cleared at startup and excluded from backups.

If the user tmp files were placed in /tmp/${USER}/ then that would achieve the same goal.


What system operations exist that need temp storage shouldn't have a separate user anyhow?


I see where you're going with your question, but like Windows' Services/scheduled tasks, most of those 'users' don't have a $HOME folder.

Not to say they couldn't have one!


Services on windows have home folder e.g. in \Windows\ServiceProfiles\LocalService


/tmp is 01777

Anything that requires login(8) or PAM to make it happen is insufficient. This has to happen in environments like Kubernetes too.


It doesn't have to be, does it? Drop the S_IWOTH from it.


But you'll have to have all users be members of the group then. That gets you nothing.


No you don't have to?

    joker@e2509h:~/test_tmp$ ll
    total 12K
    drwxr-xr-x  3 joker joker 4.0K Oct 22 22:12 ./
    drwxr-x--- 11 joker joker 4.0K Oct 22 22:12 ../
    drwxr-xr-x  3 root  root  4.0K Oct 22 22:13 tmp/
    joker@e2509h:~/test_tmp$ cd tmp
    joker@e2509h:~/test_tmp/tmp$ ll
    total 12K
    drwxr-xr-x 3 root  root  4.0K Oct 22 22:13 ./
    drwxr-xr-x 3 joker joker 4.0K Oct 22 22:12 ../
    drwxr-xr-x 2 joker joker 4.0K Oct 22 22:13 joker/
    -rw-r--r-- 1 root  root     0 Oct 22 22:15 z
    joker@e2509h:~/test_tmp/tmp$ touch x
    touch: cannot touch 'x': Permission denied
    joker@e2509h:~/test_tmp/tmp$ rm z
    rm: remove write-protected regular empty file 'z'? y
    rm: cannot remove 'z': Permission denied
    joker@e2509h:~/test_tmp/tmp$ touch joker/x
    joker@e2509h:~/test_tmp/tmp$ ll joker
    total 8.0K
    drwxr-xr-x 2 joker joker 4.0K Oct 22 22:13 ./
    drwxr-xr-x 3 root  root  4.0K Oct 22 22:15 ../
    -rw-r--r-- 1 joker joker    0 Oct 22 22:13 x
    joker@e2509h:~/test_tmp/tmp$ rm joker/x
    joker@e2509h:~/test_tmp/tmp$
Looks like it works just fine.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: