conf/80907: tmpmfs default change

Giorgos Keramidas keramida at
Fri May 13 12:00:23 GMT 2005

The following reply was made to PR conf/80907; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at>
To: aeonflux <aeonflux at>
Cc: bug-followup at
Subject: Re: conf/80907: tmpmfs default change
Date: Fri, 13 May 2005 14:55:59 +0300

 On 2005-05-12 17:10, aeonflux <aeonflux at> wrote:
 >On May 12, 2005 09:59 am, Giorgos Keramidas wrote:
 >> On 2005-05-11 17:38, Caitlen <aeonflux at> wrote:
 >> > by default
 >> > tmpmfs_flags="-S"
 >> > When in reality
 >> > tmpmfs_flags="-S -o nosymfollow,nosuid"
 >> >
 >> > would be much safer
 >> I don't think this is really a bug, but anyway.  It would probably be
 >> safer to use:
 >> 	tmpmfs_flags="-S -o noatime,noexec,nosuid,nosymfollow"
 >> The ability to actually *use* whatever options are best for your system
 >> is exactly why I made the original change to rc.d/tmp, but I'm not sure
 >> if it would be good to enforce so strict permissions to everyone :-/
 > Good point, but I do think a nosymfollow is a good default.  There's really no
 > reason to allow /tmp symlink race conditions to happen.  SInce it's a memory
 > fs, disabling atime doesn't really make a big difference.
 > Anyways just a suggestion, I'll be definitely setting nosymfollow on my
 > machine here.
 I'm a bit worried about giving a false sense of "secure default setup",
 by having /tmp mounted as "nosymfollow".  Users who are determined to
 attempt symlink race hacks may also set TMPDIR=/var/tmp or even
 TMPDIR=/home/smartass/tmp and try their luck there.
 Mounting both /tmp and /var as nosymfollow runs the risk of crippling
 everyone's use of the file systems without actually being a 100%
 bulletproof solution.
 - Giorgos

More information about the freebsd-bugs mailing list