Closed FlorianHeigl closed 5 years ago
Dear @FlorianHeigl!
It's really cool! I have questions.
What is the difference between:
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
and
> You can also create a group named 'shm' and put application users for SHM-using applications in there. Then the access can be completely be restricted as such:
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,mode=1770,size=1024M 0 0
Hmm... it's the same. For more consistency, let's change it to:
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
And please tell me what you mean: put application users for SHM-using applications in there - in /dev/shm
. Can you give an example?
Thanks!!!
Sorry, I must have been too tired... Replying here first:
It should have been like this:
Either:
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
Or (with group)
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0
Combined with a /etc/group
entry for a group named shm
. That group contains the users (i.e., say, mysql) which applications use that should be able to write there.
They can write since it's group writeable, and since it's sticky, they can only touch they can only touch their own stuff.
If you understand like this I'll try to rewrite it correctly later.
Dear @FlorianHeigl,
It's ok, no problem for me :+1: Good job! Very good.