Request to move the default temp directory on Debian 13

fakemoth · December 12, 2025, 11:31am

All true, for that reason alone it is even better to move the temp, even if only for backups.

Ilia · December 12, 2025, 11:59am

That isn’t quite accurate. /tmp’s permissions are usually 1777 (drwxrwxrwt) with the sticky bit only stopping users from deleting and renaming files they don’t own. But whether another user can read a file in /tmp depends only on the file’s permissions.

Do Webmin or Virtualmin write backups with world-readable permissions?

shoulders · December 12, 2025, 12:12pm

Do Webmin or Virtualmin write backups with world-readable permissions?

I don’t know, but I thought I would raise the issue just incase.

fakemoth · December 12, 2025, 12:29pm

Just checked: started a backup and watched the files created, there is a mix of 0644 for those owned by root, and 0700 for the ones owned by other users, the files being named something like 939976_129637_29_backup.cgi.

Also in the folder where the tar.gz actually goes (the one with the name of the backup ie 129687-zz-12-12-2025-14-25), I saw the folder with 0700 and the tar.gz file inside it with 0600, both owned by root.

So it looks OKish. One thing though: I tried changing /var/tmp/.webmin to 0700 (the folder set by me in the configuration). When the backup started it was back to 0755…

Ilia · December 12, 2025, 1:00pm

This is expected:

github.com/webmin/webmin

web-lib-funcs.pl

master


      
          			if (@st) {
          				unlink($tmp_dir) || rmdir($tmp_dir) ||
          					system("/bin/rm -rf ".
          					       quotemeta($tmp_dir));
          				}
          			# Directory may exist but has wrong permissions
          			if (!-d $tmp_dir) {
          				mkdir($tmp_dir, 0755) || (($mkdirerr = $!), next);
          				}
          			chown($<, $(, $tmp_dir) || (($mkdirerr = $!), next);
          			chmod(0755, $tmp_dir) || (($mkdirerr = $!), next);
          			}
          		if ($tries >= 10) {
          			my @st = lstat($tmp_dir);
          			$mkdirerr = $mkdirerr ? " : $mkdirerr" : "";
          			&error("Failed to setup temp directory ".
          			       $tmp_dir.$mkdirerr);
          			}
          		}
          	# If running as root, check parent dir (usually /tmp) to make sure it's
          	# world-writable and owned by root

system · February 10, 2026, 1:00pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.