Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 07 Aug 2006 19:29:34 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        dick hoogendijk <dick@nagual.nl>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: /tmp permissions
Message-ID:  <44D7868E.4070806@infracaninophile.co.uk>
In-Reply-To: <20060807180521.GA2299@lothlorien.nagual.nl>
References:  <20060807180521.GA2299@lothlorien.nagual.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5C73C1EAC8605AB0ADCF78F0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

dick hoogendijk wrote:
> Today I read that /tmp always is "noexec".
> That should probably be on linux, because on my fbsd-6.1 box it's "rw"
> and that's it.
>=20
> Question: should I change /tmp to "rw,noexec" to be safer?

It will screw up your ability to do 'make buildworld', but other than
that, is generally harmless.

In order for something like that to be effective though, you'ld have
to ensure that there weren't any world writeable directories on your
system on partitions that allowed processes to be exec'd from them.
Similarly you'ld have to ensure that any account liable to compromise
does not have any directories around where it can write files and
execute them from.  Which is actually quite reasonable to do for most=20
of the UIDs that exist solely to own network server processes.

However, at that level of paranoia, judicious use of chroot(2) or
jail(2) would be indicated -- so banishing network servers into corners
of your disk space with no /tmp accessible on them at all.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW


--------------enig5C73C1EAC8605AB0ADCF78F0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE14aV8Mjk52CukIwRCMBDAJ9JN/ckmrb/MTU/SuKcHvud4+cyiACgjbwu
UIxlBtdqV63utKlEAbO7np8=
=tuL0
-----END PGP SIGNATURE-----

--------------enig5C73C1EAC8605AB0ADCF78F0--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D7868E.4070806>