LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-02-2007, 08:32 AM   #1
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Rep: Reputation: 39
Perms/ACL's on /tmp


Would it make perfect sense to set a default perm on /tmp with ACL's so as any new files/folders created have 700 or 600 permissions ?? Why would any other user besides the one creating the temp files/folders need to access any other files ?

Makes sense to me but thought I'd ask before I implement it in case I am missing anything that will break something.
 
Old 03-02-2007, 12:18 PM   #2
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
What do you mean by default perms? Do you mean default perms for the directory itself - 755? Wouldnt that effectively mean that only root or the owner of /tmp could write into /tmp? I'm not sure you would want that.

The way it usually is is that /tmp is set to 1777 which means everyone can do whatever they want with their files. The 1 in 1777 would stand for the sticky bit and this would mean that I can whop Dave's files from /tmp even if I could write into /tmp.

Using ACL's is fine but then unless you have a specific user/group who are the only ones supposed to access these files it's a bit of overkill, specially for something supposed to be world writeable like /tmp. Unless you want to restrict people from using /tmp all together.

Cheers
Arvind
 
Old 03-05-2007, 12:23 AM   #3
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
No I mean using ACL default settings on tmp so that any file or folder created by "adam" would be 700 and owner by "adam" and any file or folder created by www-data would be 700 and owner by www-data.

Maybe I am not making sense here, was just thinking out loud how users can read and write others users temp files and how that may be a security risk.
 
Old 03-05-2007, 12:36 AM   #4
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
What you're asking for is easily acheived using umask. Incase you're not sure about its usage I'd suggest you read the umask man page over here.

http://www.nada.kth.se/cgi-bin/man?p...s=1&ss=&M=&f=y

Cheers
Arvind
 
Old 03-05-2007, 03:10 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by DaveQB
Would it make perfect sense to set a default perm on /tmp with ACL's so as any new files/folders created have 700 or 600 permissions ?? Why would any other user besides the one creating the temp files/folders need to access any other files ?

Makes sense to me but thought I'd ask before I implement it in case I am missing anything that will break something.
i'm curious if this would work too... i mean, it does sound like it makes sense... but, considering how i've never seen a distro do this, i am compelled to think that something would indeed break...

Quote:
Originally Posted by DaveQB
Maybe I am not making sense here, was just thinking out loud how users can read and write others users temp files and how that may be a security risk.
well, by default other users can read, but they can't write - unless there's something terribly wrong with your umask...

Last edited by win32sux; 03-05-2007 at 03:16 AM.
 
Old 03-05-2007, 03:41 AM   #6
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
If your umask is set properly and the permissions on your files are OK I really dont think what you want to do would even be necessary. It would be a bit of overkill according to me.

Cheers
Arvind
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
kde, /tmp, /var/tmp and all that garba Linux - Software 4 06-17-2005 12:31 PM
Linux ACL's? gsmonk Linux - General 4 09-06-2003 02:35 PM
Numerous scb_*.tmp files in /tmp dburk Programming 3 08-18-2003 04:28 PM
squid ACL's seanfitz Linux - Networking 0 05-13-2003 07:28 AM
Newbie question - /tmp /var/tmp Mr happy Linux - Security 3 01-27-2003 01:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration