From owner-freebsd-questions@freebsd.org Wed Feb 8 18:00:01 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF9B0CD66AF for ; Wed, 8 Feb 2017 18:00:01 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.20.71]) by mx1.freebsd.org (Postfix) with ESMTP id D03F91017 for ; Wed, 8 Feb 2017 18:00:01 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 3B9ADCB8CA1; Wed, 8 Feb 2017 11:40:41 -0600 (CST) Received: from 128.135.52.6 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Wed, 8 Feb 2017 11:40:41 -0600 (CST) Message-ID: <28341.128.135.52.6.1486575641.squirrel@cosmo.uchicago.edu> In-Reply-To: <20170208171953.GB68602@gmail.com> References: <687643e26aeb858b3b5d9f5693829360.squirrel@webmail.harte-lyne.ca> <20170208171953.GB68602@gmail.com> Date: Wed, 8 Feb 2017 11:40:41 -0600 (CST) Subject: Re: hardening /tmp From: "Valeri Galtsev" To: "Matt Smith" , byrnejb@harte-lyne.ca, FreeBSD-questions@freebsd.org Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Feb 2017 18:00:02 -0000 On Wed, February 8, 2017 11:19 am, Matt Smith wrote: > On Feb 08 10:22, James B. Byrne via freebsd-questions wrote: >>How do most people handle hardening /tmp and /var/tmp on FreeBSD? I >>can get rid of /tmp from the file system and then simply mount it as a >>tmpfs in /etc/fstab. >> >>tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0 >> >>However, /var/tmp is supposed to survive across reboots so how is this >>handled? >> > > I tried exactly this along with also doing it to /var/tmp and decided to > back out my changes. If you mount /tmp noexec you will find that make > installworld breaks. tmpfs doesn't allow you to change mount options so > you have to unmount it. Unmounting it kills tmux or screen which I use. > It's just hassle! In the past when hardening Linuxes and mounting /tmp with nosuid,noexec,nodev options I had to ban several things, one I recollect was openoffice. What that beast was doing was creating executable (script probably, not binary) in /tmp and then executing that whenever you start openoffice. It didn't add to my disliking it, as I already had gross prejudice to all java based everything. I guess, some stuff is just not written with security in mind... > > And /var/tmp has vi.recover in it which is created on boot by This, luckily, is not hurt by nosuid,noexec,nodev, so vi will function as it did, but to have it that way, one needs separate partition for it. There may exist something that does nasty stuff in /var/tmp like openoffice does in /var to function. Valeri > /etc/rc.d/virecover but it creates this before the tmpfs is mounted over > the top of it so the result is that it doesn't exist. I don't know what > the effects of that are, especially as I use vim but still it annoyed > me. > > -- > Matt > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++