On 2020/04/07 18:01, Stefan Sperling wrote: > On Tue, Apr 07, 2020 at 09:51:15AM -0600, Theo de Raadt wrote: > > Stefan Sperling <s...@stsp.name> wrote: > > > > > On Tue, Apr 07, 2020 at 09:37:02AM -0600, Theo de Raadt wrote: > > > > > The idea was to have /var/www/tmp created by default, but with > > > > > www:www ownership. > > > > > > > Create the directory. Now as a user, completely fill it. > > > > > > The proposal is to create tmp with www:www ownership, writable only for > > > that user, not like the old /var/tmp which was writable by anyone. > > > > That's not true; the diff created it mode 1777. > > Ah, I missed that. Yes that would be a problem in the diff. > > > A smaller secondary concern is if you can convince software using this > > space, > > from remote, to hog the space too much, and/or lose track of files in there. > > Which would also create the fallout problems of "/var is full". > > > > It's a matter of how other /var-using software misbehaves or fails in > > those circumstances. These concerns have been ignored too long. > > Yes, absolutely correct. Logs or tempfiles filling up /var are a problem, > and in the gotweb application Tracey and I created it is indeed possible > for requests to trigger large tempfiles. We need to look at that and come > up with a better solution. > We could check whether httpd/slowcgi could help with this somehow and try > to come up with something that works for any application and not just ours. >
fwiw my usual approach is to put /var/www on a separate filesystem ..
