Permissions on /tmp (was: How can I detect whether an /etc/rc.d/init.d script is being run at boot time versus by hand?)
Joshua Judson Rosen
rozzin at geekspace.com
Tue May 21 20:11:22 EDT 2013
Bill Freeman <ke1g.nh at gmail.com> writes:
>
> I can probably count on running on a linux box, so I can probably count on
> the FHS. But the downside of tmp is that any process can also delete my pid
> file (as opposed to having to be either root or the user created for the
> program).
The sticky-bit (0001, or +t) set on /tmp prevents that from being true,
e.g.:
jrosen at jz:~$ touch /tmp/foo
jrosen at jz:~$ ls -ld /tmp /tmp/foo
drwxrwxrwt 17 root root 4096 May 21 20:05 /tmp
-rw-r--r-- 1 jrosen jrosen 0 May 21 20:05 /tmp/foo
jrosen at jz:~$ sudo chown nobody.nogroup /tmp/foo
[sudo] password for jrosen:
jrosen at jz:~$ ls -ld /tmp /tmp/foo
drwxrwxrwt 17 root root 4096 May 21 20:05 /tmp
-rw-r--r-- 1 nobody nogroup 0 May 21 20:05 /tmp/foo
jrosen at jz:~$ rm /tmp/foo
rm: remove write-protected regular empty file `/tmp/foo'? y
rm: cannot remove `/tmp/foo': Operation not permitted
I don't see "/tmp should be sticky" in FHS, but I think everyone
(maybe excepting some embedded systems) does it, don't they?
Seems like /tmp would be a *very* scary place without a sticky-bit....
--
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
More information about the gnhlug-discuss
mailing list