Date: Wed, 8 Feb 2017 16:43:46 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no> To: byrnejb@harte-lyne.ca Cc: FreeBSD-questions@freebsd.org Subject: Re: hardening /tmp Message-ID: <alpine.BSF.2.20.1702081640410.97144@mail.fig.ol.no> In-Reply-To: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca> References: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote: > How do most people handle hardening /tmp and /var/tmp on FreeBSD? I > can get rid of /tmp from the file system and then simply mount it as a > tmpfs in /etc/fstab. > > tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0 > > However, /var/tmp is supposed to survive across reboots so how is this > handled? If ZFS is an option, then create a separate dataset/filesystem for /var/tmp, and set its quota to something sensible. If UFS is your (only) option, then create a separate partition of reasonable size and mount that as your /var/tmp. You can also consider a filebacked mfs of a certain size for your /var/tmp. -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ From owner-freebsd-questions@freebsd.org Wed Feb 8 15:59:16 2017 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA5E8CD588F for <freebsd-questions@mailman.ysv.freebsd.org>; Wed, 8 Feb 2017 15:59:16 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B89ED17AC for <FreeBSD-questions@freebsd.org>; Wed, 8 Feb 2017 15:59:16 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mail-qk0-x235.google.com with SMTP id s186so126651836qkb.1 for <FreeBSD-questions@freebsd.org>; Wed, 08 Feb 2017 07:59:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=LhLTZ4max25eLxbAUMyeuRtM/JOEG1berz9BrkIpXx4=; b=pkgzwAckhVHVq1waf2vsPkUR7cBbn5ZHy2+k6ZPAuzMZKwLs5Kq4NtYiPW4elisI9j Gsepb/dP8LMqg6fkMJ10Pq0b+K2ZMhExodlXD/AE4L2ngfN4xYpNmVHFNftOylWxqGoA m+pK7HfBr93RiO+ejxCNcgSePkiHCH61MNVm8uTzhy3hqBAIMZokyd+DivgVEapi0EXg Rc88R5bn9+uZ0+EuTfyeyLkTrR0+V+Ef4uEDy5QfT8gbpnCFzeeh8cpWpSlkTD0isg/W tL0aJvvE14cYBpVLbGByunCnkxuz5WQfjApFvOcUfFdPPjobpMfheuijeEV/YUj3BI58 YLdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=LhLTZ4max25eLxbAUMyeuRtM/JOEG1berz9BrkIpXx4=; b=aCSdpF1TSv57gDdf4N67HCTN+84SzdHXqjm+wPq8nnBQP+X+fc3cmcl4At+33FbzAY 5RChQoL5bbE1QJc2/iE/OSlB9rtjRyK5mBCVOAnSHwlNO5YNPwFh68ZdM8590t4Swfc3 hZzd++VTjhs5M4NjhHJtipsEn9fL7GJoRCmFZgv2u7QvgA2Swi2x6dp2K8uu8s1IZGJQ i6LwFSsyL00G96N7R5z94p2H8kMUPKGuE2q8BZgvYaaNWJi0KdGw6Gg3+kACBqSnxv2P 2Q8a9y1C6BkEAxMpR1SGzhhaWrw603IYUbzFzXHiAlnuseTkBaYOrdXTXqaEPHVpBRFJ NVVg== X-Gm-Message-State: AMke39nsUU59GeMoA6P6uN90CcPjRgZUZao9I49EBtSxb8nUfYM4UeuAuoBF7WMLlLq7Ze5hNv8QrgyCM/xTGA== X-Received: by 10.55.210.70 with SMTP id f67mr19869414qkj.304.1486569555230; Wed, 08 Feb 2017 07:59:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.55.215.135 with HTTP; Wed, 8 Feb 2017 07:58:34 -0800 (PST) In-Reply-To: <alpine.BSF.2.20.1702081640410.97144@mail.fig.ol.no> References: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca> <alpine.BSF.2.20.1702081640410.97144@mail.fig.ol.no> From: Odhiambo Washington <odhiambo@gmail.com> Date: Wed, 8 Feb 2017 18:58:34 +0300 Message-ID: <CAAdA2WNu4ZGQgRP97T6QL++M7aNmHQQO6_TYaxmD1G9wcMv8oQ@mail.gmail.com> Subject: Re: hardening /tmp To: User Questions <FreeBSD-questions@freebsd.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 08 Feb 2017 15:59:17 -0000 On 8 February 2017 at 18:43, Trond Endrest=C3=B8l <Trond.Endrestol@fagskole= n. gjovik.no> wrote: > On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote= : > > > How do most people handle hardening /tmp and /var/tmp on FreeBSD? I > > can get rid of /tmp from the file system and then simply mount it as a > > tmpfs in /etc/fstab. > > > > tmpfs /tmp tmpfs rw,nosuid,noexec,mode=3D01777 0 0 > > > > However, /var/tmp is supposed to survive across reboots so how is this > > handled? > > If ZFS is an option, then create a separate dataset/filesystem for > /var/tmp, and set its quota to something sensible. > > If UFS is your (only) option, then create a separate partition of > reasonable size and mount that as your /var/tmp. > > You can also consider a filebacked mfs of a certain size for your > /var/tmp. > > -- > +-------------------------------+------------------------------------+ > | Vennlig hilsen, | Best regards, | > | Trond Endrest=C3=B8l, | Trond Endrest=C3=B8l, = | > | IT-ansvarlig, | System administrator, | > | Fagskolen Innlandet, | Gj=C3=B8vik Technical College, Norway, = | > | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | > | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | > What are we mitigating? A situation where some bad guy fills /tmp and collapses the system/ Or a situation where a bad guy manages to access our /tmp and uses it to launch his scripts? I remember this hardening subject from years back, so I googled "freebsd security hardeng" and found so much being discussed, including even a port that was specifically made to achieve the same, as you can read from https://linux-audit.com/freebsd-hardening-lynis/ --=20 Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1702081640410.97144>