question regarding noexec,nodev at /tmp
 

hi,

So, if I am going to use apt-get to run installs; then, how do I use noexec,nodev on /tmp? It seems that /tmp is used for configuring packages. Should I be looking into ACL/MAC set-up instead?

Thanks

See the "/etc/apt/apt.conf" ("/etc/apt/apt.conf.d/70debconf"?) part of http://www.debian-administration.org...non-executable or use a different directory (a /dev/shm?) for scripts?

unspawn,
In your option, is setting the noexec bit even worth it? I noticed that it can be worked around in a snap.

just wanted to add this:

in ubuntu systemes, while /etc/apt.conf is listed on their site as the conf file, you actually get a directory of "part" files. At least for me with x64see below).

It depends. If you're looking to thwart script execution ('/bin/interpreter /tmp/file.ext') it won't but if you're looking to thwart binary execution ('/lib/ld-linux.so.2 /tmp/malicious.elf') that'll work fine. Stopping binary execution is good but you should make certain you are alerted long before that something is wrong: similar to onions (or Ogres) security has layers. Logging execution in /tmp also comes in handy right after you enabled the feature as there's more applications that may need a directory in which they can execute something. I prefer /dev/shm for anything that isn't persistent.

cool! so I guess I will need to look into totally replacing temp with /dev/shm? Will do a little googlein and see what I find.

As before, Thanks !

Adding 'tmpfs /dev/shm tmpfs size=128m,mode=1777 0 0' to /etc/fstab should get tmpfs mounted. Then exporting TMP=/dev/shm in init scripts (and say /etc/profile.d/tempdirs.sh) should cover most except subsystems and tools for which you have to configure it manually. There may remain a few that want to use other temp dirs like /var/tmp though ('lsof -Pwln|grep /tmp').

SO JUST TO MAKE SURE i GOT THIS RIGHT ( excuse any typing errors..wearing a brace).

1. tmpfs: TRUELY temp in that dureing reboot it gets "re-created"?

2. /dev/shm: do I need a physical partition for it or does it reside somewhere else ( it may sound stupid..I need to know though)?

3. Should I not add noexec to at /etc/fstab?

4. 128m does not seem very large is it?

5. This is a desktop so are the things your telling about going to restrict its local users as well ( that would be me8))?

As before, THANKS!

Yes.


RAM


See 'man mount', the "Mount options for tmpfs" part for which "-o" it accepts?


Sure size matter but only in relation to something. If the total amount of temp files used at one point in time never exceeds 64MB then it would be "large enough" but if you only have a total of 512MB RAM then it would be "quite large".


Mounting /tmp -o noexec may affect system services and local users, yes. Using tmpfs won't affect system services and local users unless you export TEMP early on in the boot process or in /etc/profile.d for specific users or mount /tmp as tmpfs in RAM.

thanks. That was very well explained. I appreciate your help.