Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Would it make perfect sense to set a default perm on /tmp with ACL's so as any new files/folders created have 700 or 600 permissions ?? Why would any other user besides the one creating the temp files/folders need to access any other files ?
Makes sense to me but thought I'd ask before I implement it in case I am missing anything that will break something.
What do you mean by default perms? Do you mean default perms for the directory itself - 755? Wouldnt that effectively mean that only root or the owner of /tmp could write into /tmp? I'm not sure you would want that.
The way it usually is is that /tmp is set to 1777 which means everyone can do whatever they want with their files. The 1 in 1777 would stand for the sticky bit and this would mean that I can whop Dave's files from /tmp even if I could write into /tmp.
Using ACL's is fine but then unless you have a specific user/group who are the only ones supposed to access these files it's a bit of overkill, specially for something supposed to be world writeable like /tmp. Unless you want to restrict people from using /tmp all together.
No I mean using ACL default settings on tmp so that any file or folder created by "adam" would be 700 and owner by "adam" and any file or folder created by www-data would be 700 and owner by www-data.
Maybe I am not making sense here, was just thinking out loud how users can read and write others users temp files and how that may be a security risk.
Would it make perfect sense to set a default perm on /tmp with ACL's so as any new files/folders created have 700 or 600 permissions ?? Why would any other user besides the one creating the temp files/folders need to access any other files ?
Makes sense to me but thought I'd ask before I implement it in case I am missing anything that will break something.
i'm curious if this would work too... i mean, it does sound like it makes sense... but, considering how i've never seen a distro do this, i am compelled to think that something would indeed break...
Quote:
Originally Posted by DaveQB
Maybe I am not making sense here, was just thinking out loud how users can read and write others users temp files and how that may be a security risk.
well, by default other users can read, but they can't write - unless there's something terribly wrong with your umask...
If your umask is set properly and the permissions on your files are OK I really dont think what you want to do would even be necessary. It would be a bit of overkill according to me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
