Date: Wed, 8 Feb 2017 11:40:41 -0600 (CST) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Matt Smith" <matt.xtaz@gmail.com>, byrnejb@harte-lyne.ca, FreeBSD-questions@freebsd.org Subject: Re: hardening /tmp Message-ID: <28341.128.135.52.6.1486575641.squirrel@cosmo.uchicago.edu> In-Reply-To: <20170208171953.GB68602@gmail.com> References: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca> <20170208171953.GB68602@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, February 8, 2017 11:19 am, Matt Smith wrote: > On Feb 08 10:22, James B. Byrne via freebsd-questions wrote: >>How do most people handle hardening /tmp and /var/tmp on FreeBSD? I >>can get rid of /tmp from the file system and then simply mount it as a >>tmpfs in /etc/fstab. >> >>tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0 >> >>However, /var/tmp is supposed to survive across reboots so how is this >>handled? >> > > I tried exactly this along with also doing it to /var/tmp and decided to > back out my changes. If you mount /tmp noexec you will find that make > installworld breaks. tmpfs doesn't allow you to change mount options so > you have to unmount it. Unmounting it kills tmux or screen which I use. > It's just hassle! In the past when hardening Linuxes and mounting /tmp with nosuid,noexec,nodev options I had to ban several things, one I recollect was openoffice. What that beast was doing was creating executable (script probably, not binary) in /tmp and then executing that whenever you start openoffice. It didn't add to my disliking it, as I already had gross prejudice to all java based everything. I guess, some stuff is just not written with security in mind... > > And /var/tmp has vi.recover in it which is created on boot by This, luckily, is not hurt by nosuid,noexec,nodev, so vi will function as it did, but to have it that way, one needs separate partition for it. There may exist something that does nasty stuff in /var/tmp like openoffice does in /var to function. Valeri > /etc/rc.d/virecover but it creates this before the tmpfs is mounted over > the top of it so the result is that it doesn't exist. I don't know what > the effects of that are, especially as I use vim but still it annoyed > me. > > -- > Matt > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?28341.128.135.52.6.1486575641.squirrel>