On Sat, 2024-07-20 at 19:58 +0300, Alexander Tsoy wrote: > > Please note that systemd-tmpfiles can remove the whole /var/tmp/nginx > directory if it and its contents are not touched for a long time. And > then reload of nginx might fail. So it is better to create this > directory via tmpfiles.d. > >
Good catch. Using a fixed path under /tmp (or /var/tmp) is also a security issue, because another user can "steal" the path before nginx tries to create it. For example, $ mkdir /var/tmp/nginx $ ls -lh /var/tmp/ total 4.0K drwxr-xr-x 2 mjo mjo 4.0K Jul 20 13:07 nginx Since I own that directory, I will ultimately be able to write to nginx's temporary files. The OpenRC script is using "checkpath" which is a bit safer, so I didn't say anything there, and systemd-tmpfiles is similarly safe. But so long as we're talking about it: what do the file names under /var/tmp/nginx look like? Hopefully they're random. Otherwise we have to worry about the bad guy pre-creating not only the directory, but also the files inside it.
