On Sat, Dec 15, 2012 at 12:39:13AM +0000, Roger Leigh wrote: > > > /run/user is created by systemd. This contains within it directories > > > owned by logged in users e.g. /run/user/rleigh in my case, and the > > > environment variable XDG_RUNTIME_DIR is set to this location.
> > > There are a few problems with this: > > > 1) Any user can now trivially DoS the system by filling up /run. > > I think that is a valid problem and a possible solution would be to use > > a separate tmpfs for /run/user as long as we don't have quota support > > for tmpfs. > > mountall (upstart) goes this route and uses > > none /run/user tmpfs nodev,noexec,nosuid,size=104857600,mode=0755 0 0 > > in /lib/init/fstab. > > The only tricky part here is the size. > > We can either: > > a/ hard code it and ship a run-user.mount unit in /lib/systemd/system > > b/ generate it dynamically upon installation and store the mount unit in > > /etc/systemd/system > > If a/, the question is which size we chose, if b/ which percentage of > > the available RAM we use. > As discussed on IRC last week, I still fail to see a valid reason > for using the /run tmpfs for user data. While using yet another > tmpfs mount somewhat mitigates the DoS issue, it doesn't address > the question of why it really needs to be here in the first place. > I would still prefer option > c/ Use [/tmp] > Steve, I don't know if you've seen this bug previously, but it > would be useful to have your input from the upstart POV. While > the tmpfs issue is important, for me I think that point (2) in > my original mail has rather wider-reaching implications > regarding session management. I do not wish to cripple the > basic session management we have e.g. with PAM by inheriting the > restrictions of GNOME session management system wide. It's > fundamentally broken, and I really object to having this pushed > onto the base system by systemd. Debian is not just for > desktop environments. upstart itself is agnostic on this question. The mountall package mounts /run/user by default in support of the XDG runtime dir spec, which requires a per-user directory which is guaranteed to be: - local - shared across all sessions for the user on the system - cleaned at boot - secure, and only accessible to the owning user There is no existing path on the system that's guaranteed to have these characteristics. /home is not guaranteed to be local; /tmp is not guaranteed to be cleaned at boot, nor is there a guaranteed secure way to create a directory there that's discoverable by all possible unrelated sessions for the user. So the only way to fulfill the XDG requirements is by creating a new directory structure with new properties. If you think the XDG requirements are /wrong/, please take that up with the XDG folks... -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
