From owner-freebsd-questions@FreeBSD.ORG Mon Aug 7 18:30:09 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D76F216A4E1 for ; Mon, 7 Aug 2006 18:30:09 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id E53C843D7B for ; Mon, 7 Aug 2006 18:30:06 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.6/8.13.6) with ESMTP id k77ITfQ3007891; Mon, 7 Aug 2006 19:29:41 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=softfail; spf=softfail X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk k77ITfQ3007891 Message-ID: <44D7868E.4070806@infracaninophile.co.uk> Date: Mon, 07 Aug 2006 19:29:34 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.5 (X11/20060801) MIME-Version: 1.0 To: dick hoogendijk References: <20060807180521.GA2299@lothlorien.nagual.nl> In-Reply-To: <20060807180521.GA2299@lothlorien.nagual.nl> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig5C73C1EAC8605AB0ADCF78F0" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Mon, 07 Aug 2006 19:30:02 +0100 (BST) X-Virus-Scanned: ClamAV 0.88.3/1639/Mon Aug 7 14:34:09 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.1.3 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions Subject: Re: /tmp permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2006 18:30:09 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5C73C1EAC8605AB0ADCF78F0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable dick hoogendijk wrote: > Today I read that /tmp always is "noexec". > That should probably be on linux, because on my fbsd-6.1 box it's "rw" > and that's it. >=20 > Question: should I change /tmp to "rw,noexec" to be safer? It will screw up your ability to do 'make buildworld', but other than that, is generally harmless. In order for something like that to be effective though, you'ld have to ensure that there weren't any world writeable directories on your system on partitions that allowed processes to be exec'd from them. Similarly you'ld have to ensure that any account liable to compromise does not have any directories around where it can write files and execute them from. Which is actually quite reasonable to do for most=20 of the UIDs that exist solely to own network server processes. However, at that level of paranoia, judicious use of chroot(2) or jail(2) would be indicated -- so banishing network servers into corners of your disk space with no /tmp accessible on them at all. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig5C73C1EAC8605AB0ADCF78F0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE14aV8Mjk52CukIwRCMBDAJ9JN/ckmrb/MTU/SuKcHvud4+cyiACgjbwu UIxlBtdqV63utKlEAbO7np8= =tuL0 -----END PGP SIGNATURE----- --------------enig5C73C1EAC8605AB0ADCF78F0--