Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Making /tmp noexec (http://www.linux-archive.org/debian-user/451603-making-tmp-noexec.html)

James Allsopp 11-12-2010 12:30 PM

Making /tmp noexec
 
Hi,
I was reading this page about making tmp non-executable
(http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a
little out of date as I'm using Squeeze.

I changed fstab, and edited by 70debconf to

DPkg::Pre-Install-Pkgs {"mount -o remount,exec
/tmp";"/usr/sbin/dpkg-preconfigure --apt || true";};
DPkg::Post-Invoke{"mount -o remount /tmp";};

is this correct? Aptitude still works fine, but I was wondering if
anyone had experience of pitfalls with this?

Would I replicate this for my /var partition and is there any point to
doing this with /home?

Thanks,
Jim


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4CDD4189.4030705@googlemail.com">http://lists.debian.org/4CDD4189.4030705@googlemail.com

David Sastre 11-12-2010 08:09 PM

Making /tmp noexec
 
On Fri, Nov 12, 2010 at 01:30:49PM +0000, James Allsopp wrote:
> Hi,
> I was reading this page about making tmp non-executable
> (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a
> little out of date as I'm using Squeeze.
>
> I changed fstab, and edited by 70debconf to
>
> DPkg::Pre-Install-Pkgs {"mount -o remount,exec
> /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";};
> DPkg::Post-Invoke{"mount -o remount /tmp";};
>
> is this correct? Aptitude still works fine, but I was wondering if
> anyone had experience of pitfalls with this?
>
> Would I replicate this for my /var partition and is there any point to
> doing this with /home?

I use almost the same configuration:

# cat /etc/apt/apt.conf.d/20tmpperms
DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
DPkg::Post-Invoke {"mount -o remount /tmp";};

And my fstab looks like this:

# grep tmp /etc/fstab
/dev/mapper/root_vg-tmp_lv /tmp ext3 defaults,noexec,nosuid 0 2

It works OK. Regarding var, I wouldn't do it. Some files need execute
permissions. Others might have another opinion, though.
And /home, well, some of us like to have /home/${USER}/.dist/bin or
something similar in our ${PATHS}, so it depends on your setup.

HTH.

--
Huella de clave primaria: 0FDA C36F F110 54F4 D42B D0EB 617D 396C 448B 31EB

Sven Joachim 11-12-2010 08:29 PM

Making /tmp noexec
 
On 2010-11-12 14:30 +0100, James Allsopp wrote:

> Hi,
> I was reading this page about making tmp non-executable
> (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a
> little out of date as I'm using Squeeze.
>
> I changed fstab, and edited by 70debconf to
>
> DPkg::Pre-Install-Pkgs {"mount -o remount,exec
> /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";};
> DPkg::Post-Invoke{"mount -o remount /tmp";};

A better option would be to set APT::ExtractTemplates::TempDir to a
directory where programs can be executed. See apt-extracttemplates(1).

> is this correct? Aptitude still works fine, but I was wondering if
> anyone had experience of pitfalls with this?

While dpkg is running, programs in /tmp are executable. If you're
paranoid enough, this may worry you.

> Would I replicate this for my /var partition

If you do this, you have to relocate /var/lib/dpkg/info to another
filesystem and bind-mount or symlink it so that the package maintainer
scripts can be run.

> and is there any point to doing this with /home?

It may help a little if you cannot trust your users, but note that they
can still run (at least) shell, perl and awk scripts by invoking the
interpreter.

Sven


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 8739r65izf.fsf@turtle.gmx.de">http://lists.debian.org/8739r65izf.fsf@turtle.gmx.de

11-13-2010 02:34 AM

Making /tmp noexec
 
This is more of an F-MY-I question, but if the /tem dir is a separate partition and your using a mount command in fstab, could you limit the execute capabilities via umask?

I would think umask=111 would set the directory world read and write with no
Execute permissions

*NOTE* I don't fully understand umask number permissions other than the effect that they are reverse of chmod numbers and 000 is world read/write/execute, since execute is value 1 in chmod I assume by counting 111 your telling umask to EXCLUDE execute, may need to look up umask values

TeddyB
-----Original Message-----
From: Sven Joachim <svenjoac@gmx.de>
Date: Fri, 12 Nov 2010 22:29:08
To: <debian-user@lists.debian.org>
Subject: Re: Making /tmp noexec

On 2010-11-12 14:30 +0100, James Allsopp wrote:

> Hi,
> I was reading this page about making tmp non-executable
> (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a
> little out of date as I'm using Squeeze.
>
> I changed fstab, and edited by 70debconf to
>
> DPkg::Pre-Install-Pkgs {"mount -o remount,exec
> /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";};
> DPkg::Post-Invoke{"mount -o remount /tmp";};

A better option would be to set APT::ExtractTemplates::TempDir to a
directory where programs can be executed. See apt-extracttemplates(1).

> is this correct? Aptitude still works fine, but I was wondering if
> anyone had experience of pitfalls with this?

While dpkg is running, programs in /tmp are executable. If you're
paranoid enough, this may worry you.

> Would I replicate this for my /var partition

If you do this, you have to relocate /var/lib/dpkg/info to another
filesystem and bind-mount or symlink it so that the package maintainer
scripts can be run.

> and is there any point to doing this with /home?

It may help a little if you cannot trust your users, but note that they
can still run (at least) shell, perl and awk scripts by invoking the
interpreter.

Sven


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/8739r65izf.fsf@turtle.gmx.de

Simon Brandmair 11-13-2010 02:49 PM

Making /tmp noexec
 
On Fri, 12 Nov 2010 13:40:02 +0100 James Allsopp wrote:
> I was reading this page about making tmp non-executable
> (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a
> little out of date as I'm using Squeeze.
>
> I changed fstab, and edited by 70debconf to
>
> DPkg::Pre-Install-Pkgs {"mount -o remount,exec
> /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";};
> DPkg::Post-Invoke{"mount -o remount /tmp";};

I would test first, if apt even needs /tmp to be executable. I run it
with /tmp non-exec and don't have any problems with it.

Simon


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: ibmc35$ohp$00$1@news.t-online.com">http://lists.debian.org/ibmc35$ohp$00$1@news.t-online.com

Sjoerd Hardeman 11-13-2010 06:54 PM

Making /tmp noexec
 
Op 13-11-10 16:49, Simon Brandmair schreef:
> On Fri, 12 Nov 2010 13:40:02 +0100 James Allsopp wrote:
>> I was reading this page about making tmp non-executable
>> (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a
>> little out of date as I'm using Squeeze.
>>
>> I changed fstab, and edited by 70debconf to
>>
>> DPkg::Pre-Install-Pkgs {"mount -o remount,exec
>> /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";};
>> DPkg::Post-Invoke{"mount -o remount /tmp";};
>
> I would test first, if apt even needs /tmp to be executable. I run it
> with /tmp non-exec and don't have any problems with it.
Some packages do need an executable temp to run temporary scripts.
Usually there's no mayhem, bet errors are spawn. To solve this, follow
the method above or add to /etc/apt/apt.conf
DPkg::Pre-Invoke{"mount -o remount,exec /tmp"}
DPkg::Post-Invoke{"mount -o remount /tmp"}
That works flawlessly.

Sjoerd

"Robert Blair Mason Jr." 11-13-2010 08:00 PM

Making /tmp noexec
 
On Sat, 13 Nov 2010 03:34:36 +0000
teddieeb@tmo.blackberry.net wrote:

>
> This is more of an F-MY-I question, but if the /tem dir is a separate partition and your using a mount command in fstab, could you limit the execute capabilities via umask?
>
> I would think umask=111 would set the directory world read and write with no
> Execute permissions
>

Couldn't you use the noexec option in fstab? That way you wouldn't have to mess with umasks, and i *think* it is more secure - a file in mode 666 can still be executed with /lib/ld*.so 'cmd'.


--
rbmj


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101113160010.872abff7.rbmj@verizon.net">http://lists.debian.org/20101113160010.872abff7.rbmj@verizon.net


All times are GMT. The time now is 04:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.