ideal location to place temporary files in Linux & HP-UX : /tmp or /var/tmp ? OS security


Due to security requirement, we can't ssh / winscp using root into Linux
( Redhat & CentOS ) & HP-UX servers.

I have a recurring issue with Winscp : in most cases, the login id used by the
individual sysadmin after doing Winscp can't read a number of logs or files
that we need to copy out to Windows PC for emailing out.
So the sysadmin would ssh login to his individual id, su to root & temporarily
change the permission of the file & possibly the directory the file is in to 644
(world  readable), then winscp to copy it out & then reverse back the permission.

I'm not in favour of this as it's sort of a change & sometimes the sysadmin forgets to
reverse / normalize back the permission (which will flag as alert in the next security
scan), sometimes, it was reversed back incorrectly (which will trigger jobs' failure).

I thought that the sysadmin copies using root the required file to /tmp & make it world
readable & then winscp out the file & housekeep /tmp.  But I've seen a case where
/tmp fills up to 99.9% & cause a service disruption & sysadmin did not realize it till
about 30-60 minutes later (despite that there's filesystem monitoring in place : as the
sysadmin usually doesn't  check his email / mobile phone for new messages frequently.

Q1:
The other thing is to copy to /var/tmp : would this filling up /var/tmp cause service
disruption in any way?  Eg:
  -Disruption to say Oracle creating temp files (usually in /tmp)?
  -When new patches are being installed to HP-UX & Linux, does it go into /var  (in
   our case /var/tmp is a subdir under /var filesystem) & if there's insufficient free
   space, would the patching process bombs out in a "half-corrupted" state?
  -Any other possible disruption?

Q2:
The other thought I have is to set up ssh server or ftp server on the Windows PC
so that the sysadmin just scp or ftp the files using root directly into the PC but is
this a security threat ?  This method is probably most efficient & does not entail
any change of permission of files on Unix server & no worry of /tmp filling up

Q3:
any other thoughts of a good way of doing files transfer between the Unix servers
& Windows PC ?

sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason WatkinsIT Project LeaderCommented:
I would make a separate partition and mount it under /tmp.

I would try to figure a way to have the the admins do what they need to do, without using the root user account. Only one or two people should know the root password.
0
CoccoBillCommented:
I agree with Firebar, mount /tmp as a separate partition so it won't fill up the root partition.

I would not allow the admins to su to root, sudo is a much better for security and  tractability. Using scp via sudo on the host and setting up an ssh server on the windows machine sounds like a pretty good solution.
0
gheistCommented:
A1
/tmp is notmally cleaned during reboot, /var/tmp is not.
So i would suggest using /tmp unless you want to save files over reboot. Also ~/tmp is a good place
I do not see sysadmins fault in you filling the disk, and with /var filled it is unlikely that any SMS or mail can exit the system.
A2
Never ever use root for that. SGID directories helps avoid changing permissions
A3
Use scp/sftp unless it is speed-restrictive.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Duncan RoeSoftware DeveloperCommented:
I have seen systems where /var/tmp is a symbolic link to /tmp. Personally, I think that's a neat idea and recommend you do that.
0
gheistCommented:
I recall using vi -r on old crashing systems couple of times.
But for modern systems I see no problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.