Stuart Henderson <s...@spacehopper.org> wrote: > On 2020/04/07 18:01, Stefan Sperling wrote: > > On Tue, Apr 07, 2020 at 09:51:15AM -0600, Theo de Raadt wrote: > > > Stefan Sperling <s...@stsp.name> wrote: > > > > > > > On Tue, Apr 07, 2020 at 09:37:02AM -0600, Theo de Raadt wrote: > > > > > > The idea was to have /var/www/tmp created by default, but with > > > > > > www:www ownership. > > > > > > > > > Create the directory. Now as a user, completely fill it. > > > > > > > > The proposal is to create tmp with www:www ownership, writable only for > > > > that user, not like the old /var/tmp which was writable by anyone. > > > > > > That's not true; the diff created it mode 1777. > > > > Ah, I missed that. Yes that would be a problem in the diff. > > > > > A smaller secondary concern is if you can convince software using this > > > space, > > > from remote, to hog the space too much, and/or lose track of files in > > > there. > > > Which would also create the fallout problems of "/var is full". > > > > > > It's a matter of how other /var-using software misbehaves or fails in > > > those circumstances. These concerns have been ignored too long. > > > > Yes, absolutely correct. Logs or tempfiles filling up /var are a problem, > > and in the gotweb application Tracey and I created it is indeed possible > > for requests to trigger large tempfiles. We need to look at that and come > > up with a better solution. > > We could check whether httpd/slowcgi could help with this somehow and try > > to come up with something that works for any application and not just ours. > > > > fwiw my usual approach is to put /var/www on a separate filesystem ..
That's my approach also. But now /var/www can get filled. The problem is how will /tmp files be handled? Sloppily, I predict.
