-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/03/2013 07:22 AM, Trevor Vaughan wrote: > All, > > Should we be requiring polyinstation of /tmp and /var/tmp for users > via PAM?
We've (Red Hat) been doing this in our OpenShift software for some time. It prevents a lot of grief as you can imagine and seems to not really cause much in the way of problems. > I had forgotten about this until reading a recent post. > > I feel that this would be a good idea in general, but may cause > issues in terms of legitimate file sharing and end up with more > users making their home directories 755 (or more ridiculous). There are better/more secure ways to share files, but you can also make per user /tmp default to a private one and have a public /tmp-public for example that users can explicitly use to share files. > Also, should we be binding users to any particular CGroup limits by > default? > > Thanks, > > Trevor - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRXFAIAAoJEBYNRVNeJnmTdPoP/ip2x6T1q9rsxc5IBsOzvTVN I5RnaSMZSoK6ZqDu+pjxPI4EWL0bK8pHRveIQkxFaWmpq+vK7Ul6zHGr4tkn2t0A yZM3c9a/HjHJXLdhW90jO7u/wnHAZdUq2kCnyVsbkIPNm+tHH5kJVeswKzpZMqED SxfcsM9tV5LWhD9FRe8Q1N3ds0i7959OuXMmY3/abEwFScaf92ww1ClZzMWorXsY WHsnt4cL7tAmP7SiHzMTNtPM3K8yn14jtxj3yJwZmRvkDcZ2jB7kyv9kEVAvkcXS MY61N5VifDtbnWtm+fgOL06XVFKUQzEwQblnQWVSvRwcRVeVepsPLimV2G32gPFH GykqkpvLgK99gvlpLF/58i/QzzDbGoPKEk3FByLNxIiFj//PDNkAhVWF1wZ3uoGy rwW7m8Hj4WY+1I+1N6cIZkKs3Hffv9Sn9Xfs7hHBiGi/KvNkfndkIXwA0NfJu1oF E1n3EkyerewdF08E2hy1QOwkv+bEUzdxi968zVPAB6uPS3RHmI7o7qQAC4iw5EHx DPHVxd4uOp4n4zXSb0yXFd6LJrD1RymnB4q/YGDdLIYKOTNWImN9GCllYOotnjWQ PqC6yj2av18H+U9Bq5G/4HuOtI2Ltc5c1GrHlT0uV2YyC6aGSPOW5Y/5MC4XiI7s jelhpeOKye/DWo6/qaWj =jILV -----END PGP SIGNATURE----- _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
