conf/80907: tmpmfs default change

Giorgos Keramidas keramida at freebsd.org
Fri May 13 12:00:23 GMT 2005


The following reply was made to PR conf/80907; it has been noted by GNATS.

From: Giorgos Keramidas <keramida at freebsd.org>
To: aeonflux <aeonflux at aeonflux.no-ip.com>
Cc: bug-followup at freebsd.org
Subject: Re: conf/80907: tmpmfs default change
Date: Fri, 13 May 2005 14:55:59 +0300

 On 2005-05-12 17:10, aeonflux <aeonflux at aeonflux.no-ip.com> wrote:
 >On May 12, 2005 09:59 am, Giorgos Keramidas wrote:
 >> On 2005-05-11 17:38, Caitlen <aeonflux at aeonflux.no-ip.com> wrote:
 >> > by default
 >> > tmpmfs_flags="-S"
 >> > When in reality
 >> > tmpmfs_flags="-S -o nosymfollow,nosuid"
 >> >
 >> > would be much safer
 >>
 >> I don't think this is really a bug, but anyway.  It would probably be
 >> safer to use:
 >>
 >> 	tmpmfs_flags="-S -o noatime,noexec,nosuid,nosymfollow"
 >>
 >> The ability to actually *use* whatever options are best for your system
 >> is exactly why I made the original change to rc.d/tmp, but I'm not sure
 >> if it would be good to enforce so strict permissions to everyone :-/
 >
 > Good point, but I do think a nosymfollow is a good default.  There's really no
 > reason to allow /tmp symlink race conditions to happen.  SInce it's a memory
 > fs, disabling atime doesn't really make a big difference.
 >
 > Anyways just a suggestion, I'll be definitely setting nosymfollow on my
 > machine here.
 
 I'm a bit worried about giving a false sense of "secure default setup",
 by having /tmp mounted as "nosymfollow".  Users who are determined to
 attempt symlink race hacks may also set TMPDIR=/var/tmp or even
 TMPDIR=/home/smartass/tmp and try their luck there.
 
 Mounting both /tmp and /var as nosymfollow runs the risk of crippling
 everyone's use of the file systems without actually being a 100%
 bulletproof solution.
 
 - Giorgos
 


More information about the freebsd-bugs mailing list