I assume you mean preventing a normal user from filling up /tmp
, or from copying files into tmp that could then do something nasty. For the first risk, I'm not aware of any easy solution, but there are a few things you can do. For the second, as long as the sticky bit is set and umasks are set correctly, /tmp should be OK.
Things you can try :
- Have /tmp as a separate filesystem and set the nosuid and nodev flags.
- Have users use a different tmp directory by default (TMPDIR=~/tmp, for example).
- Have your key applications use their own tmp directory so /tmp filling up doesn't cause them a problem.
- Place a limit on the max. file size a user can create (ulimit) - nothing stopping a user creating lots of small files though.
- Set up alerting so you get an email/page/... if /tmp goes over (for example) 80% full.
|