Google Plus

Secure temporary files in Linux

Written by Mel Kham on . Posted in Linux tutorials

On a typical Linux system there will be at least two, if not more, directories or partitions meant to hold temporary files. There is always the /tmp directory, and often a /var/tmp directory as well. With newer Linux kernels, there can also be /dev/shm, which is mounted using the tmpfs filesystem.


 One problem with directories meant to store temporary files is that they can often be targeted as places to store bots and rootkits that compromise the system. This is because in most cases, anyone (or any process) can write to these directories. Insecure permissions are problematic as well; most Linux distributions set the sticky bit on directories meant to contain temporary files — this means that user A cannot remove a file belonging to user B, and vice versa. Depending on the permissions of the file itself, user A may be able to view and/or modify the contents of that file, however.

A typical Linux installation will set /tmp as mode 1777, meaning it has the sticky bit set and is readable, writable, and executable by all users. For many, that’s as secure as it gets, and this is mostly because the /tmp directory is just that: a directory, not its own filesystem. The /tmp directory lives on the / partition and, as such, must obey its mount options.

A more secure solution would be to set /tmp on its own partition, so that it can be mounted independent of the / partition and have more restrictive options set. An example /etc/fstab entry for a /tmp partition might look like:

/dev/sda7 /tmp ext3 nosuid,noexec,nodev,rw 0 0

This would set the nosuid, noexec, and nodev options, meaning that no suid programs are permitted, nothing can be executed from that partition, and no device files may exist.

You could then remove the /var/tmp directory and create a symlink pointing to /tmp so that the temporary files in /var/tmp also make use of these restrictive mount options.

The /dev/shm virtual filesystem also needs to be secured as well, and this can be done by changing /etc/fstab. Typically, /dev/shm is simply mounted with the defaults option, which isn’t enough to properly secure it. Like the fstab entry shown for /tmp, it should have more restrictive mount options:

none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

Finally, if you don’t have the ability to create a fresh /tmp partition on existing drives, you can use the loopback capabilities of the Linux kernel by creating a loopback filesystem that will be mounted as /tmp and can use the same restrictive mount options. To create a 1GB loopback filesystem, execute:

# dd if=/dev/zero of=/.tmpfs bs=1024 count=1000000
# mke2fs -j /.tmpfs
# cp -av /tmp /tmp.old
# mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
# chmod 1777 /tmp
# mv -f /tmp.old/* /tmp/
# rmdir /tmp.old

Once this is complete, edit /etc/fstab to have the loopback filesystem mounted automatically at boot:

/.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0

Little things like ensuring proper permissions and using restrictive mount options will prevent a lot of harm coming to the system. If a bot lands on a filesystem that is unable to execute, that bot is essentially worthless

 

 

Source = techrepublic

For questions please refer to our Q/A forum at : http://ask.unixmen.com

Related posts:

  1. Forget the root password on SunBlade
  2. Howto : Recover Deleted Files With foremost
  3. Howto : Add user and Secure your ssh access

0 Comment(s)

Mel Kham

Founder of Unixmen, Living in Amsterdam. Am working in my free time to help people to understand the Opensource and to explain them in easy way how to make the fist steps to the the light. Working day and night with my Co-founder Zinovsky to keep this website live even with less resources.

Like us on Facebook

This week Top Posts

Write for us

Recent Posts

Recent Posts

Recent Comments

DB Griffin

|

Larry Page is not being completely honest! The manner in which the PRISM program/project works does not need access from company administrators or owners, so called “direct access”; the access to the information is already there. These tech company CEOs take for granted the actual intelligence of most end users of their products. All it takes is a little digging and reading to go from ignorant to informed on these things especially on exactly how the internet works/functions in the U.S.A. I find Larry Page’s remarks just as laughable as Al Gore’s claim to “inventing” the internet/world wide web!

If you, as an end user, are reading this post; I challenge you to research these matters yourself. It really is quite simple with all the “information sites” that exist on the web today ie Wikipedia, & other online encyclopedias that actually list source material, as well as highly respected tech sites and blogs that also list their source material. Be warned: this is only the tip of the iceberg and these tech CEOs know and understand this; they are scrambling in attempt to perform DAMAGE CONTROL to save the company and what little trust thay have left from their products end users/consumers.

Am I a skeptic? I believe someone has to be or needs to be at this point in time! If your not just a little skeptical of the government, tech companies, and the people that are in charge of these agencies and companies; you need to be, even if just a little skeptic. For your own personal protection and security! I know I was a part of this community for over 14 years!

Anders Jackson

|

As I understand it so do VLC use same encoders as ffmpeg. And yes, there are less code that can break when you use command line instead of a graphical UI.

And may I ask what mono has to do with VLC? *facepalm*

Anders Jackson

|

Just some thoughts about Java.

OpenJDK7 are now THE Java implementation and Oracles are just one more of the reimplementations. So you should not need to install Oracles version.

And you really don’t need to remove the OpenJDK7 installation to also have Sun Java JDK 7. Just run

sudo update-java-alternatives –list

and select which java you want to have as default java of all that is installed.

And if you want to run a program with one special version, check manpage for java-wrappers how to do that.

man java-wrappers

so you can run java program rasterizer like this:

JAVA_FLAVOR=openjdk rasterizer
JAVA_ARGS=-Xmx80m rasterizer

JAVA_BINDIR=/usr/share/

etc

Anders Jackson

|

Yes, it is. If you are a “5 years old schizophrenic kid” who can’t restrict what effects to use and what to not use. It’s actually usefull, if you can restrain yourself.

Anders Jackson

|

Agree with BA. You should teach how to remove telnetd from your servers, and tell them to use SSH instead.

And explain that telnet is not secured. It’s easy for anyone to see what you type in clear text or MIM-attacks.

Or you might want to add a kerberos version of telnetd and se to it that it denies any try without kerberos authorization.

The tool telnet is usefull, for example to explain how SMTP protocoll or HTTP-protocoll works by making the user be the client (mail client or web client).
But you do not need to install telnetd for that.

 

Favorite Links

Unixmen Archive

Tags Cloud

android browser Centos chrome Debian eyecandy Fedora firefox games gaming gnome google karmic koala kde libreoffice Linux linux distribution LinuxMint lucid lynx maverick meerkat media player mysql Natty Narwhal news oneiric ocelot openoffice opensource opensuse oracle ppa Precise Pangolin release RHEL security server software themes tools ubuntu unix upgrade virtualbox vlc windows wine

Unixmen Twitts

IDG Tech Network
Copyright © 2008-2013 Unixmen.com .
Maintained by Anblik .