[CentOS] Swap Considerations

Tue Feb 27 08:11:24 UTC 2007
Rodrigo Barbosa <rodrigob at darkover.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Feb 26, 2007 at 08:48:15PM -0500, Jim Perrin wrote:
> 
> >OTOH anything bad you can do with /tmp you can do better with /var/tmp,
> >and making that noexec is not a realistic proposition.
> 
> Very true, but applications like apache/php use /tmp as their default
> scratch/upload space. 

Thank you by saying "default".

This is one thing I think should be watched carefully. I for one make sure
not only /tmp is mounted noexec, but also that apache can't write to it:

On one of my servers (webserver mainly):

/dev/sda3 on /tmp type ext3 (rw,noexec,nosuid,nodev,acl)

$ getfacl /tmp | grep apache
getfacl: Removing leading '/' from absolute path names
user:apache:---
default:user:apache:---

This kind of setup can save you a world of trouble/headaches.

[]s

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFF4+espdyWzQ5b5ckRAnrFAKClVK3OX1Qz4iv1gDvimZSXzEpezQCgoOP4
NhUnwZL3DxSkfMQjRNlOTbk=
=ATDr
-----END PGP SIGNATURE-----