LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-16-2010, 09:54 PM   #1
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Rep: Reputation: 51
question regarding noexec,nodev at /tmp


hi,

So, if I am going to use apt-get to run installs; then, how do I use noexec,nodev on /tmp? It seems that /tmp is used for configuring packages. Should I be looking into ACL/MAC set-up instead?

Thanks
 
Old 10-17-2010, 06:44 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
See the "/etc/apt/apt.conf" ("/etc/apt/apt.conf.d/70debconf"?) part of http://www.debian-administration.org...non-executable or use a different directory (a /dev/shm?) for scripts?
 
1 members found this post helpful.
Old 10-17-2010, 10:22 AM   #3
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
unspawn,
In your option, is setting the noexec bit even worth it? I noticed that it can be worked around in a snap.
 
Old 10-17-2010, 10:48 AM   #4
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
just wanted to add this:

in ubuntu systemes, while /etc/apt.conf is listed on their site as the conf file, you actually get a directory of "part" files. At least for me with x64see below).
Code:
ls /etc/apt/apt.conf.d/ && cat /etc/apt/apt.conf.d/70debconf 
00trustcdrom  01autoremove  01ubuntu  05aptitude  10periodic  15update-stamp  20archive  20dbus  50unattended-upgrades  70debconf  99synaptic  99update-notifier

####

// Pre-configure all packages with debconf before they are installed.
// If you don't like it, comment it out.
DPkg::Pre-Install-Pkgs {"/usr/sbin/dpkg-preconfigure --apt || true";};
DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};
 
Old 10-17-2010, 11:54 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by mrmnemo View Post
is setting the noexec bit even worth it?
It depends. If you're looking to thwart script execution ('/bin/interpreter /tmp/file.ext') it won't but if you're looking to thwart binary execution ('/lib/ld-linux.so.2 /tmp/malicious.elf') that'll work fine. Stopping binary execution is good but you should make certain you are alerted long before that something is wrong: similar to onions (or Ogres) security has layers. Logging execution in /tmp also comes in handy right after you enabled the feature as there's more applications that may need a directory in which they can execute something. I prefer /dev/shm for anything that isn't persistent.
 
1 members found this post helpful.
Old 10-17-2010, 07:00 PM   #6
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
cool! so I guess I will need to look into totally replacing temp with /dev/shm? Will do a little googlein and see what I find.

As before, Thanks !
 
Old 10-18-2010, 02:06 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Adding 'tmpfs /dev/shm tmpfs size=128m,mode=1777 0 0' to /etc/fstab should get tmpfs mounted. Then exporting TMP=/dev/shm in init scripts (and say /etc/profile.d/tempdirs.sh) should cover most except subsystems and tools for which you have to configure it manually. There may remain a few that want to use other temp dirs like /var/tmp though ('lsof -Pwln|grep /tmp').
 
1 members found this post helpful.
Old 10-20-2010, 11:26 AM   #8
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
SO JUST TO MAKE SURE i GOT THIS RIGHT ( excuse any typing errors..wearing a brace).

1. tmpfs: TRUELY temp in that dureing reboot it gets "re-created"?

2. /dev/shm: do I need a physical partition for it or does it reside somewhere else ( it may sound stupid..I need to know though)?

3. Should I not add noexec to
Code:
tmpfs /dev/shm tmpfs size=128m,mode=1777 0 0
at /etc/fstab?

4. 128m does not seem very large is it?

5. This is a desktop so are the things your telling about going to restrict its local users as well ( that would be me8))?

As before, THANKS!
 
Old 10-20-2010, 12:36 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by mrmnemo View Post
tmpfs: TRUELY temp in that dureing reboot it gets "re-created"?
Yes.


Quote:
Originally Posted by mrmnemo View Post
/dev/shm: do I need a physical partition for it or does it reside somewhere else
RAM


Quote:
Originally Posted by mrmnemo View Post
Should I not add noexec to
Code:
tmpfs /dev/shm tmpfs size=128m,mode=1777 0 0
at /etc/fstab?
See 'man mount', the "Mount options for tmpfs" part for which "-o" it accepts?


Quote:
Originally Posted by mrmnemo View Post
128m does not seem very large is it?
Sure size matter but only in relation to something. If the total amount of temp files used at one point in time never exceeds 64MB then it would be "large enough" but if you only have a total of 512MB RAM then it would be "quite large".


Quote:
Originally Posted by mrmnemo View Post
This is a desktop so are the things your telling about going to restrict its local users as well ( that would be me8))?
Mounting /tmp -o noexec may affect system services and local users, yes. Using tmpfs won't affect system services and local users unless you export TEMP early on in the boot process or in /etc/profile.d for specific users or mount /tmp as tmpfs in RAM.
 
1 members found this post helpful.
Old 10-20-2010, 04:06 PM   #10
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
thanks. That was very well explained. I appreciate your help.
 
  


Reply

Tags
noexec /tmp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
'nodev' and 'nodev' option for removable media wjs1990 Linux - Newbie 1 01-06-2010 02:58 AM
Beyond noexec on /tmp OffbeatAdam Linux - Security 9 11-24-2009 08:28 PM
Remove noexec from tmp directory Skillz Linux - General 3 11-21-2009 01:36 AM
noexec on /tmp but still stefaandk Linux - Security 10 03-05-2007 06:02 AM
reinstall --> /tmp & noexec issue Fuel Slackware 1 11-30-2004 10:43 PM


All times are GMT -5. The time now is 08:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration