Niels Thykier wrote: > Thierry Carrez wrote: >> I still think /tmp is the right location for JVM temp files, since they >> aren't cache files and should be cleaned up at system restart. If you >> don't want them to be in /tmp, you will have to use a specific directory >> (separate from /var/cache/tomcat6) and make sure it's cleaned up >> periodically. You mention a security problem as the main reason to >> change that, could you elaborate ? This code looks secure to me. > > I based on a certain lintian tag[1] and the "symlink race"[2] - I admit > I am not sure to what extend someone could use the attack; the attack > window is very short as I understand it and does require local user > access[3].
The code doesn't use temporary files but a temporary directory. mkdir being atomic, if /tmp/tomcat-temp can't be created because it already exists, the code fails. There is no attack window, that's quite secure. > On a related note; shouldn't the postrm script be removing the JVM_TMP > dir rather than leaving it till next reboot? It could do that specifically on purge, but I don't think it /needs/ to. > I am considering to use /var/cache/libtomcat6-java/ or > /var/cache/tomcat6-tmp/ as tmp dir. I assume that periodically means "on > restart of tomcat6" (because this is what we have now[4]) and then also > in the postrm script (since unlike /tmp the new dir will not be removed > by itself). That would be better than using /var/cache/tomcat6, you wavoid the potential conflicts. However those aren't cache directories but really temporary files, so they really belong to /tmp :) -- Thierry Carrez Ubuntu server team -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
