reopen 635131 thanks On Sun, Dec 16, 2012 at 09:51:04PM +0000, Debian Bug Tracking System wrote: > [ Michael Biebl ] > * Use a separate tmpfs for /run/lock (size 5M) and /run/user (size 100M). > Those directories are user-writable which could lead to DoS by filling up > /run. Closes: #635131
While this change addresses point (1) in my original report, I do not believe point (2) has been addressed at all, and I still assert that (3) is correct for Debian. Additionally, the size limit of 100M is far to large, by about two orders of magnitude. This is a directory for storing service sockets and pipes, not vast quantities of data. One megabyte would be sufficient for 100s of users; 5MiB would be adequate if overprovisioning for safety is also accounted for. Keeping it small will also limit abuse of this for non-socket/pipe information. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
