On 01/10/17 09:06 AM, Carlos E. R. wrote:
On 2017-09-30 14:36, Anton Aylward wrote:
On 29/09/17 08:13 PM, Илья Индиго wrote:
I'm in my fstab, for perfomance and security reasons, specify this:
tmpfs /tmp tmpfs nodev,nosuid,size=2G 0 0 tmpfs /var/tmp tmpfs nodev,nosuid,size=2G 0 0 tmpfs /var/cache/zypp tmpfs nodev,nosuid,noexec,mode=0755,size=2G 0 0 tmpfs /run tmpfs nodev,nosuid,noexec,mode=0755,size=32m 0 0 tmpfs /run/lock tmpfs nodev,nosuid,noexec,mode=0755,size=8m 0 0 tmpfs /root/.cache tmpfs nodev,nosuid,noexec,mode=0700,size=2G 0 0 tmpfs /home/ilya/.cache tmpfs nodev,nosuid,noexec,mode=0700,uid=1000,size=2G 0 0 tmpfs /var/lib/wwwrun/.cache tmpfs nodev,nosuid,noexec,mode=0700,uid=30,size=2G 0 0
Well, that's interesting, but I don't see why you specify those in your FSTAB.
For _security_
It is not the default settings. He is doing those. He disallows anything from running off those.
Yes, I understand that. look, what he's doing is creating lots-a-lots of tmpfs I have no 'tmpfs' line at all AT ALL AT ALL in my FSTAB but I still have .. # mount | grep tmpfs devtmpfs on /dev type devtmpfs (rw,nosuid,size=1943064k,nr_inodes=485766,mode=755) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755) tmpfs on /var/lock type tmpfs (rw,nosuid,nodev,mode=755) tmpfs on /var/run type tmpfs (rw,nosuid,nodev,mode=755) tmpfs on /run/user/501 type tmpfs (rw,nosuid,nodev,relatime,size=390008k,mode=700,uid=501,gid=501) tmpfs on /var/run/user/501 type tmpfs (rw,nosuid,nodev,relatime,size=390008k,mode=700,uid=501,gid=501) What this doesn't make clear is that mount of those are "mount -b" or symlinks. I've inserted a blank like to make it clear what there are two groupings there. See, for example, /usr/lib/systemd/system/var-lock.mount See, also, /usr/lib/tmpfiles.d/* Now I could override that, and add appropriate lines under a custom tmpfile conf to bind-mount or symlink all of those nice extras that Илья Индиго mentions, all without the need to create more and more individual shared memory segments. After all, that's the way its already being done. See also /etc/systemd/logind.conf and logind.conf(5) for to size of the per user (/run/user/501, size=390008k in my case) space I'd also not that he has BOTH /tmp and /var/tmp as tmpfs. That means that will BOTH go away at reboot and be recreated. I think this is nasty. Various sources (go google for yourself, there are many), even those that admit to /tmp as a tmpfs, make the use difference between them clear, in both size of files (aka run your ISOs thou /var/tmp) and lifetime (expect your ISO in /var/tmp to be there after reboot but don't expect anything /tmp to be there after reboot). I think that is reasonable. I think the cleaning strategy using the tools we have are perfectly reasonable. As far as the security of /var and /var/tmp goes, well, that's not a problem for me: I use LVM to create yet another LE for that. You could always use a remount: Tie yourself in knots with mount -o rw --bind /var/tmp /var/tmp I'd further note that in late model Linux there is no reason why /tmp should still be a shared namespace. -- There is no legitimate religion apart from truth. --John Calvin -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org