conf/80907: tmpmfs default change
Giorgos Keramidas
keramida at freebsd.org
Fri May 13 12:00:23 GMT 2005
The following reply was made to PR conf/80907; it has been noted by GNATS.
From: Giorgos Keramidas <keramida at freebsd.org>
To: aeonflux <aeonflux at aeonflux.no-ip.com>
Cc: bug-followup at freebsd.org
Subject: Re: conf/80907: tmpmfs default change
Date: Fri, 13 May 2005 14:55:59 +0300
On 2005-05-12 17:10, aeonflux <aeonflux at aeonflux.no-ip.com> wrote:
>On May 12, 2005 09:59 am, Giorgos Keramidas wrote:
>> On 2005-05-11 17:38, Caitlen <aeonflux at aeonflux.no-ip.com> wrote:
>> > by default
>> > tmpmfs_flags="-S"
>> > When in reality
>> > tmpmfs_flags="-S -o nosymfollow,nosuid"
>> >
>> > would be much safer
>>
>> I don't think this is really a bug, but anyway. It would probably be
>> safer to use:
>>
>> tmpmfs_flags="-S -o noatime,noexec,nosuid,nosymfollow"
>>
>> The ability to actually *use* whatever options are best for your system
>> is exactly why I made the original change to rc.d/tmp, but I'm not sure
>> if it would be good to enforce so strict permissions to everyone :-/
>
> Good point, but I do think a nosymfollow is a good default. There's really no
> reason to allow /tmp symlink race conditions to happen. SInce it's a memory
> fs, disabling atime doesn't really make a big difference.
>
> Anyways just a suggestion, I'll be definitely setting nosymfollow on my
> machine here.
I'm a bit worried about giving a false sense of "secure default setup",
by having /tmp mounted as "nosymfollow". Users who are determined to
attempt symlink race hacks may also set TMPDIR=/var/tmp or even
TMPDIR=/home/smartass/tmp and try their luck there.
Mounting both /tmp and /var as nosymfollow runs the risk of crippling
everyone's use of the file systems without actually being a 100%
bulletproof solution.
- Giorgos
More information about the freebsd-bugs
mailing list