After searching the tmpfiles.d, its seems like there is a limited number of option to erase the files/directories. I want to totally erase the temporary directories with a shred like command, is there a way to trigger a script in the tmpfiles.d configuration or some hidden mecanism to use shred during tmp cleanup.
Asked
Active
Viewed 238 times
1 Answers
0
Yes! Call systemd-tmpfiles --remove to remove all contents of directories that are configured with a D or R and all files or directories that are configured with r or R.
From man systemd-tmpfiles:
--remove
If this option is passed, the contents of directories marked with D or R,
and files or directories themselves marked with r or R are removed.
To be slightly less invasive, you could filter this to only directories that start with a prefix:
--prefix=path
Only apply rules with paths that start with the specified prefix. This option
can be specified multiple times.
--exclude-prefix=path
Ignore rules with paths that start with the specified prefix. This option
can be specified multiple times.
Or you could clean more often. --clean will only remove temporary files that have expired (age has passed). In the following example, running systemd-tmpfiles --clean will delete any contents of /run/screens that are older than 10d.
# /usr/lib/tmpfiles.d/screen.conf
# Type Path Mode User Group Age Argument
d /run/screens 1777 root screen 10d -
Note that this is already checked once per day by systemd-tmpfiles-clean.timer:
$ systemctl cat systemd-tmpfiles-clean.{timer,service}
[Unit]
Description=Daily Cleanup of Temporary Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
[Timer]
OnBootSec=15min
OnUnitActiveSec=1d
/lib/systemd/system/systemd-tmpfiles-clean.service
[Unit]
Description=Cleanup of Temporary Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
DefaultDependencies=no
Conflicts=shutdown.target
After=local-fs.target time-set.target
Before=shutdown.target
[Service]
Type=oneshot
ExecStart=systemd-tmpfiles --clean
SuccessExitStatus=DATAERR
IOSchedulingClass=idle
If that isn't aggressive enough for you, you could:
d /my/path 0755 user group 1h -
and create a drop-in to OnUnitActiveSec=1h the timer.
Alternatively, if you are running a service, check out the sandboxing options in man systemd.exec. Things like PrivateTmp=, RemoveIPC= and DynamicUser= really make it possible to delete these things as soon as they are not needed anymore.
Stewart
- 13,677
-
Thank you for your very precise answer, but my question was more about the deletion process. I know that I can manually clean the tmp files, but underlying this will call 'rm' command and not 'shred' command, so the files will not be securely erased from disk. – Jaay Feb 16 '23 at 15:06
-
Shred is snake oil on modern hard drives and file systems. It being absolutely zero additional security. And it doesn't even begin to makes sense on SSDs. – Marcus Müller Feb 16 '23 at 20:32
-
https://unix.stackexchange.com/questions/50079/effectivity-of-shred-on-different-file-systems – Marcus Müller Feb 16 '23 at 20:33
-
https://back.nber.org/sys-admin/overwritten-data-guttman.html – Marcus Müller Feb 16 '23 at 20:37