Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   file-hierarchy    ( 7 )

обзор иерархии файловой системы (File system hierarchy overview)

UNPRIVILEGED WRITE ACCESS

Unprivileged processes generally lack write access to most of the
       hierarchy.

The exceptions for normal users are /tmp/, /var/tmp/, /dev/shm/, as well as the home directory $HOME (usually found below /home/) and the runtime directory $XDG_RUNTIME_DIR (found below /run/user/) of the user, which are all writable.

For unprivileged system processes, only /tmp/, /var/tmp/ and /dev/shm/ are writable. If an unprivileged system process needs a private writable directory in /var/ or /run/, it is recommended to either create it before dropping privileges in the daemon code, to create it via tmpfiles.d(5) fragments during boot, or via the StateDirectory= and RuntimeDirectory= directives of service units (see systemd.unit(5) for details).

/tmp/, /var/tmp/ and /dev/shm/ should be mounted nosuid and nodev, which means that set-user-id mode and character or block special devices are not interpreted on those file systems. In general it is not possible to mount them noexec, because various programs use those directories for dynamically generated or optimized code, and with that flag those use cases would break. Using this flag is OK on special-purpose installations or systems where all software that may be installed is known and doesn't require such functionality. See the discussion of nosuid/nodev/noexec in mount(8) and PROT_EXEC in mmap(2).