hardening /tmp

Valeri Galtsev galtsev at kicp.uchicago.edu
Wed Feb 8 18:00:02 UTC 2017 

On Wed, February 8, 2017 11:19 am, Matt Smith wrote:
> On Feb 08 10:22, James B. Byrne via freebsd-questions wrote:
>>How do most people handle hardening /tmp and /var/tmp on FreeBSD?  I
>>can get rid of /tmp from the file system and then simply mount it as a
>>tmpfs in /etc/fstab.
>>
>>tmpfs         /tmp        tmpfs   rw,nosuid,noexec,mode=01777 0     0
>>
>>However, /var/tmp is supposed to survive across reboots so how is this
>>handled?
>>
>
> I tried exactly this along with also doing it to /var/tmp and decided to
> back out my changes. If you mount /tmp noexec you will find that make
> installworld breaks. tmpfs doesn't allow you to change mount options so
> you have to unmount it. Unmounting it kills tmux or screen which I use.
> It's just hassle!

In the past when hardening Linuxes and mounting /tmp with
nosuid,noexec,nodev options I had to ban several things, one I recollect
was openoffice. What that beast was doing was creating executable (script
probably, not binary) in /tmp and then executing that whenever you start
openoffice. It didn't add to my disliking it, as I already had gross
prejudice to all java based everything.

I guess, some stuff is just not written with security in mind...

>
> And /var/tmp has vi.recover in it which is created on boot by

This, luckily, is not hurt by nosuid,noexec,nodev, so vi will function as
it did, but to have it that way, one needs separate partition for it.
There may exist something that does nasty stuff in /var/tmp like
openoffice does in /var to function.

Valeri

> /etc/rc.d/virecover but it creates this before the tmpfs is mounted over
> the top of it so the result is that it doesn't exist. I don't know what
> the effects of that are, especially as I use vim but still it annoyed
> me.
>
> --
> Matt
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list