This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Recommended size for 'tmp'

4 posts / 0 new

Topic locked

Last post

#1 Mon, 05/21/2012 - 12:06

PaliGap

Recommended size for 'tmp'

Hi

I want to configure a secure 'tmp' directory, and so I was thinking about what size to make it.

For the most part I suppose a size of, say, 1Gb would be more than enough. But I'm guessing the main use of the TMP directory comes from VirtualMin backups. I have around 160 virtual servers, some are up to 2Gb in size, and a full backup is 12Gb. So - any idea what a good size for TMP should be to handle that?

Thanks.

#2 Mon, 05/21/2012 - 13:07

andreychek

Howdy,

I personally don't think there would be much benefit to restricting the size of your /tmp directory, that would probably end up causing more issues than it solves.

That said, you could always tell Virtualmin to use an alternate directory for it's temp files -- you can do that in Webmin -> Webmin -> Webmin Configuration -> Advanced Settings -- and in there you can set the Webmin temp dir.

-Eric

#3 Mon, 05/21/2012 - 13:31

PaliGap

Thanks Eric

(So - do you think that the fuss that's made about "securing the tmp directory" is a bit overdone? ;-) )

#4 Mon, 05/21/2012 - 15:23

andreychek

Well, I love the idea of security in layers, and there can be benefits to various security ideas that are floating around.

That said, I don't feel like there's much bang for the buck when it comes to making changes to /tmp.

If your users are all setup with quotas (which is the default in Virtualmin), then no one user should be able to fill up the filesystem. So there wouldn't be a benefit to restricting the size of /tmp.

And I've seen mentions of mounting /tmp noexec -- yes, that would prevent a compiled program from running from /tmp, but that's not typically what I've seen attackers doing... most of the breakins I've seen had malicious scripts uploaded (and not compiled programs). And setting /tmp to noexec won't prevent a script from running, since it's not executed, it's interpreted.

However, if a malicious user wanted to run a compiled program, they could just do so in the home directory, where they have rights to write and execute files.

One of the places to spend a decent amount of time is in verifying that all your web apps (and their associated plugins) are all kept up to date -- that's the most common source of breakins.

-Eric

Topic locked