LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to secure tmp folder? (https://www.linuxquestions.org/questions/linux-security-4/how-to-secure-tmp-folder-916508/)

agriz 12-01-2011 01:32 AM
How to secure tmp folder?
 
Hi

I want to secure tmp folder and want to stop any execution there.

Please guide me for that

Thanks

PS I am getting lot of 500 and 502 error here. Please fix it. For every click i am getting it

jschiwal 12-01-2011 06:29 AM
If /tmp is on it's own partition, you could add the "noexec,nosuid,nodev" mount options in /etc/fstab. It won't make it impossible for a person to execute files (a clever person can get around it) but can prevent accidental execution.

For example:
Code:
sudo mv /tmp /oldtmp
sudo mkdir /tmp
sudo mount --bind /oldtmp /tmp
sudo mount /tmp -o remount,nosuid,noexec,nodev

> ./ls
bash: ./ls: Permission denied
> /lib64/ld-linux-x86-64.so.2 ./ls
./ls: error while loading shared libraries: ./ls: failed to map segment from shared object: Operation not permitted
Look at the mount manpage. It shows how a --bind mount fstab entry looks like.

On older versions of linux, /lib/ld-linux.so /tmp/<program>, would run the program. This hole has been plugged.

For debian distributions, installing packages requires files in /tmp to be executable. You need to modify the system to remount /tmp before install and again after.

---
/tmp should just be used for temporary files. Such as modifying a file, and needing to redirect to a temporary file, before replacing the original:
sed 's/john/mike' file >/tmp/tmpfile
mv /tmp/tmpfile file

You shouldn't be saving things there. Since you want to make /tmp more secure, delete all files in /tmp when you power down. Most disto's have a setting to do that. A malicious file will be removed then.


All times are GMT -5. The time now is 04:48 AM.