Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 8 Feb 2017 16:43:46 +0100 (CET)
From:      =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no>
To:        byrnejb@harte-lyne.ca
Cc:        FreeBSD-questions@freebsd.org
Subject:   Re: hardening /tmp
Message-ID:  <alpine.BSF.2.20.1702081640410.97144@mail.fig.ol.no>
In-Reply-To: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca>
References:  <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote:

> How do most people handle hardening /tmp and /var/tmp on FreeBSD?  I
> can get rid of /tmp from the file system and then simply mount it as a
> tmpfs in /etc/fstab.
> 
> tmpfs         /tmp        tmpfs   rw,nosuid,noexec,mode=01777 0     0
> 
> However, /var/tmp is supposed to survive across reboots so how is this
> handled?

If ZFS is an option, then create a separate dataset/filesystem for 
/var/tmp, and set its quota to something sensible.

If UFS is your (only) option, then create a separate partition of 
reasonable size and mount that as your /var/tmp.

You can also consider a filebacked mfs of a certain size for your 
/var/tmp.

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+
From owner-freebsd-questions@freebsd.org  Wed Feb  8 15:59:16 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA5E8CD588F
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed,  8 Feb 2017 15:59:16 +0000 (UTC)
 (envelope-from odhiambo@gmail.com)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com
 [IPv6:2607:f8b0:400d:c09::235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B89ED17AC
 for <FreeBSD-questions@freebsd.org>; Wed,  8 Feb 2017 15:59:16 +0000 (UTC)
 (envelope-from odhiambo@gmail.com)
Received: by mail-qk0-x235.google.com with SMTP id s186so126651836qkb.1
 for <FreeBSD-questions@freebsd.org>; Wed, 08 Feb 2017 07:59:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
 bh=LhLTZ4max25eLxbAUMyeuRtM/JOEG1berz9BrkIpXx4=;
 b=pkgzwAckhVHVq1waf2vsPkUR7cBbn5ZHy2+k6ZPAuzMZKwLs5Kq4NtYiPW4elisI9j
 Gsepb/dP8LMqg6fkMJ10Pq0b+K2ZMhExodlXD/AE4L2ngfN4xYpNmVHFNftOylWxqGoA
 m+pK7HfBr93RiO+ejxCNcgSePkiHCH61MNVm8uTzhy3hqBAIMZokyd+DivgVEapi0EXg
 Rc88R5bn9+uZ0+EuTfyeyLkTrR0+V+Ef4uEDy5QfT8gbpnCFzeeh8cpWpSlkTD0isg/W
 tL0aJvvE14cYBpVLbGByunCnkxuz5WQfjApFvOcUfFdPPjobpMfheuijeEV/YUj3BI58
 YLdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to;
 bh=LhLTZ4max25eLxbAUMyeuRtM/JOEG1berz9BrkIpXx4=;
 b=aCSdpF1TSv57gDdf4N67HCTN+84SzdHXqjm+wPq8nnBQP+X+fc3cmcl4At+33FbzAY
 5RChQoL5bbE1QJc2/iE/OSlB9rtjRyK5mBCVOAnSHwlNO5YNPwFh68ZdM8590t4Swfc3
 hZzd++VTjhs5M4NjhHJtipsEn9fL7GJoRCmFZgv2u7QvgA2Swi2x6dp2K8uu8s1IZGJQ
 i6LwFSsyL00G96N7R5z94p2H8kMUPKGuE2q8BZgvYaaNWJi0KdGw6Gg3+kACBqSnxv2P
 2Q8a9y1C6BkEAxMpR1SGzhhaWrw603IYUbzFzXHiAlnuseTkBaYOrdXTXqaEPHVpBRFJ
 NVVg==
X-Gm-Message-State: AMke39nsUU59GeMoA6P6uN90CcPjRgZUZao9I49EBtSxb8nUfYM4UeuAuoBF7WMLlLq7Ze5hNv8QrgyCM/xTGA==
X-Received: by 10.55.210.70 with SMTP id f67mr19869414qkj.304.1486569555230;
 Wed, 08 Feb 2017 07:59:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.55.215.135 with HTTP; Wed, 8 Feb 2017 07:58:34 -0800 (PST)
In-Reply-To: <alpine.BSF.2.20.1702081640410.97144@mail.fig.ol.no>
References: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca>
 <alpine.BSF.2.20.1702081640410.97144@mail.fig.ol.no>
From: Odhiambo Washington <odhiambo@gmail.com>
Date: Wed, 8 Feb 2017 18:58:34 +0300
Message-ID: <CAAdA2WNu4ZGQgRP97T6QL++M7aNmHQQO6_TYaxmD1G9wcMv8oQ@mail.gmail.com>
Subject: Re: hardening /tmp
To: User Questions <FreeBSD-questions@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>;
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 15:59:17 -0000

On 8 February 2017 at 18:43, Trond Endrest=C3=B8l <Trond.Endrestol@fagskole=
n.
gjovik.no> wrote:

> On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote=
:
>
> > How do most people handle hardening /tmp and /var/tmp on FreeBSD?  I
> > can get rid of /tmp from the file system and then simply mount it as a
> > tmpfs in /etc/fstab.
> >
> > tmpfs         /tmp        tmpfs   rw,nosuid,noexec,mode=3D01777 0     0
> >
> > However, /var/tmp is supposed to survive across reboots so how is this
> > handled?
>
> If ZFS is an option, then create a separate dataset/filesystem for
> /var/tmp, and set its quota to something sensible.
>
> If UFS is your (only) option, then create a separate partition of
> reasonable size and mount that as your /var/tmp.
>
> You can also consider a filebacked mfs of a certain size for your
> /var/tmp.
>
> --
> +-------------------------------+------------------------------------+
> | Vennlig hilsen,               | Best regards,                      |
> | Trond Endrest=C3=B8l,              | Trond Endrest=C3=B8l,             =
      |
> | IT-ansvarlig,                 | System administrator,              |
> | Fagskolen Innlandet,          | Gj=C3=B8vik Technical College, Norway, =
 |
> | tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
> | sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
>


What are we mitigating? A situation where some bad guy fills /tmp and
collapses the system/ Or a situation where a bad guy manages to access our
/tmp and uses it to launch his scripts?
I remember this hardening subject from years back, so I googled "freebsd
security hardeng" and found so much being discussed, including even a port
that was specifically made to achieve the same, as you can read from
https://linux-audit.com/freebsd-hardening-lynis/



--=20
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1702081640410.97144>