1.10.
User
Downloads
Are Overloading Workstations
As with all annoyances in this book, there is
more than one method available to solve problems. In this case,
I'll show you how you can keep downloads to a minimum on our
selected Linux distributions.
The basic
premise
is that, as an administrator,
you've limited downloads to the
/tmp
directory. You can further limit user
downloads with appropriate quotas as described in "Some User Is
Taking Too Much Disk Space" in Chapter 10.
Alternatively, you can extend the scripts shown
in this annoyance to the
applicable
subdirectories for each
user.
You can configure the default download
directories associated with Internet-
related
applications such as
Firefox. I'll describe the options
briefly
in Chapter 3. For more
information on customizing Firefox for consistent settings, see
Firefox Hacks
by Nigel McFarlane
(O'Reilly).
|
There may be security vulnerabilities associated
with the Linux tools that maintain
/tmp
. While I believe they've been addressed
by the major distributions, the article on this subject is worth
reading; it's available from:
http://www.bindview.com/Services/Razor/Papers/2002/mkstemp.cfm.
|
|
1.10.1. Red
Hat/Fedora
The Red Hat/Fedora distributions configure the
/usr/sbin/
tmpwatch
command to
check various temporary directories and remove old files as part of
a daily cron job in the
/etc/cron.daily
directory.
tmpwatch
is a script of three commands that
look more complex than they are.
With the
-x
option, the first command excludes from consideration a number of
directories essential to starting the GUI. Then it specifies that
files older than 240 hours in the
/tmp
directory (other than those already
excluded) will be deleted.
/usr/sbin/tmpwatch -x /tmp/.X11-unix -x /tmp/.XIM-unix -x /tmp/.font-unix -x /
tmp/.ICE-unix -x /tmp/.Test-unix 240 /tmp
The
next
command in the script deletes files
older than 720 hours from the
/var/tmp
directory. This directory usually
holds temporary configuration files associated with the KDE desktop
environment.
/usr/sbin/tmpwatch 720 /var/tmp
The final command searches through caches of
manpages. As a geek, you know that manpages are organized into nine
different categories. When a manpage is loaded, it is stored in
cache for easier retrieval. If you haven't accessed that
manpage
in
10 days (720 hours), the cache is purged by the following loop:
for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do
if [ -d "$d" ]; then
/usr/sbin/tmpwatch -f 720 $d
fi
done
Remember that the
?
represents a
wildcard for a single character, so the
for
directive
shown covers the
/var/cache/man/cat1
through
/var/cache/man/cat9
directories.
1.10.2. SUSE
SUSE Linux
manages
temporary files through a
daily cron job in the
/etc/cron.daily
directory, known as
suse.de-clean-tmp
. It's a
substantial script that depends on directives set in the
/etc/sysconfig/cron
configuration
file. Generally, you won't need to change anything in the cron job;
just modify the
/etc/sysconfig/cron
as needed. This
configuration file includes the directives defined in Table
1-10.
Table 1-10. SUSE tmp management
directives
|
Directive
|
Description
|
|
MAX_DAYS_IN_TMP
|
By default, SUSE sets this to
, which
retains all files in
/tmp
directories; this directive is associated with the
TMP_DIRS_TO_CLEAR
directive.
|
|
MAX_DAYS_IN_LONG_TMP
|
By default, SUSE sets this to
, which
retains all files in the directory defined by the
LONG_TMP_DIRS_TO_CLEAR
directive.
|
|
TMP_DIRS_TO_CLEAR
|
Normally set to
/tmp
.
|
|
LONG_TMP_DIRS_TO_CLEAR
|
Set to the directory of your choice; commonly
used for
/var/tmp
.
|
|
OWNER_TO_KEEP_IN_TMP
|
Specifies the owner for files to be retained;
commonly assigned to
root
, which
retains the files in
/tmp
required
for the GUI.
|
|
CLEAR_TMP_DIRS_AT_BOOTUP
|
Normally set to
no
; if set to
yes
, deletes all files from the
/tmp
directories (including those owned by the
root
user). Don't change unless
you're not using a GUI.
|
|
REINIT_MANDB
|
Configures re-creation of the manpage database;
normally set to
yes
.
|
|
DELETE_OLD_CATMAN
|
Deletes preformatted manpages, as stored in
/var/catman
directory; normally
set to
yes
.
|
|
CATMAN_ATIME
|
Specifies a time after which preformatted
manpages are deleted.
|
|
DELETE_OLD_CORE
|
Deletes older databases of files created with
the
updatedb
command; don't change
unless you have installed the
findutils-locate
RPM.
|
|
MAX_DAYS_FOR_CORE
|
Specifies a maximum age for file databases, in
days.
|
|
|
The
tmpwatch
RPM is no longer available for SUSE Linux. As of SUSE 9.2, the
appropriate script is now part of the SUSE
aaa_base
RPM.
|
|
1.10.3.
Debian
Debian Linux configures the
/usr/sbin/tmpreaper
command as part of a daily
cron job in the
/etc/cron.daily
directory. It depends on settings that you can configure in
/etc/tmpreaper.conf
and
/etc/default/rcS
. I'll examine
both the configuration files and the script.
The
/etc/default/rcS
file is key to a number of
configuration files associated with the boot process. The default
version of this file includes one related directive:
TMPTIME=0
This specifies the time that files are stored in
/tmp
in days. The default of
specifies that files in
/tmp
are stored per the
TMPREAPER_TIME
directive in
/etc/tmpreaper.conf
.
Now examine the
/etc/tmpreaper.conf
configuration file, as
that is where you can set the directives used in the
/etc/cron.daily/tmpreaper
cron job. This
configuration file includes directives as defined in Table
1-11.
Table 1-11. Debian /etc/tmpreaper.conf
management directives
|
Directive
|
Description
|
|
SHOWWARNING
|
Related to the
README.security.gz
warning in the
/usr/share/doc/tmpreaper
directory.
|
|
TMPREAPER_TIME
|
If
TMPTIME
is not set in
/etc/default/rcS
, this directive determines
how long files are stored in
/tmp
.
|
|
TMPREAPER_PROTECT_EXTRA
|
Lets you specify file patterns to protect from
deletion; some are already protected in the default
tmpreaper
cron job.
|
|
TMPREAPER_DIRS
|
Specifies the directories to apply the
tmpreaper
cron job.
|
|
TMPREAPER_ADDITIONALOPTIONS
|
Sets additional options to pass to the
tmpreaper
command.
|
These directives are applied to the
tmpreaper
cron job in the first few lines of
the script. First, this stanza makes sure that the
tmpreaper
command exists:
if ! [ -x /usr/sbin/tmpreaper ]; then
exit 0
fi
The next stanza checks for and then uses the
/etc/tmpreaper.conf
configuration
file:
if [ -s /etc/tmpreaper.conf ]; then
. /etc/tmpreaper.conf
fi
The script then checks key directives; the
default
TMPREAPER_TIME
is seven days, and the default
TMPREAPER_DIRS
is
/tmp
.
TMPREAPER_TIME=${TMPREAPER_TIME:-7d}
TMPREAPER_PROTECT_EXTRA=${TMPREAPER_PROTECT_EXTRA:-''}
TMPREAPER_DIRS=${TMPREAPER_DIRS:-'/tmp/.'}
Finally, the script is run, with a
lowered
priority (
courtesy
of
nice -n10
)
to help prevent this job from interfering with other running
processes. It avoids deleting directories critical to the running
of the Linux GUI.
|
