mt.cfg dark matter: the other side of TempDir

Both mt.cfg and the manual document the TempDir directive as:

When processing uploaded files, if Movable Type notices that the file you uploaded already exists, it will allow you to overwrite the original file, by first asking for your confirmation. To do this, MT needs to write the uploaded data to a temporary file. That temporary file is stored in the directory specified by the TempDir setting; the value defaults to /tmp.

which is true, but only part of the story. TempDir is also used by the builtin public search function. To keep people from sitting on their browser’s Refresh button and spawning off several dozen searches all going at once, Search.pm implements an IP address based throttle. It looks for a file named mt-throttle.db in TempDir, and if it finds the user’s IP address in there with a timestamp in the last 60 seconds, it refuses to start another search; if it’s not already there, it’s added with the current timestamp.

If you are using the default, /tmp, on a shared host, one of two bad things will happen (assuming /tmp even exists – if not, that’s the third bad thing, and you don’t have a throttle). If you have the basic setup, where the server runs as one user, usually “nobody,” then your throttling will work just fine, although you are broadcasting to anyone else on your server the IP addresses of everyone who searches your site, and in an odd-but-so-what way, you throttle searches from anyone who has searched on any MT installation on your server in the last 60 seconds. However, if your server runs either suEXEC or CGIWrap, so that the server runs as your user, then only one person gets to throttle their searches. At the moment, on my server, /usr/local/tmp/mt-throttle.db is owned by, er, “***blog” and anyone else who tries to tie my %db, 'DB_File', $file; is going to fail. I have search throttling, because I set TempDir ~/mttemp, but anyone on the same server with me (except for ***blog) who hasn’t set it doesn’t.

Comments

No comments yet.

Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.