Making /tmp noexec
Hi,
I was reading this page about making tmp non-executable (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a little out of date as I'm using Squeeze. I changed fstab, and edited by 70debconf to DPkg::Pre-Install-Pkgs {"mount -o remount,exec /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";}; DPkg::Post-Invoke{"mount -o remount /tmp";}; is this correct? Aptitude still works fine, but I was wondering if anyone had experience of pitfalls with this? Would I replicate this for my /var partition and is there any point to doing this with /home? Thanks, Jim -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4CDD4189.4030705@googlemail.com">http://lists.debian.org/4CDD4189.4030705@googlemail.com |
Making /tmp noexec
On Fri, Nov 12, 2010 at 01:30:49PM +0000, James Allsopp wrote:
> Hi, > I was reading this page about making tmp non-executable > (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a > little out of date as I'm using Squeeze. > > I changed fstab, and edited by 70debconf to > > DPkg::Pre-Install-Pkgs {"mount -o remount,exec > /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";}; > DPkg::Post-Invoke{"mount -o remount /tmp";}; > > is this correct? Aptitude still works fine, but I was wondering if > anyone had experience of pitfalls with this? > > Would I replicate this for my /var partition and is there any point to > doing this with /home? I use almost the same configuration: # cat /etc/apt/apt.conf.d/20tmpperms DPkg::Pre-Invoke{"mount -o remount,exec /tmp";}; DPkg::Post-Invoke {"mount -o remount /tmp";}; And my fstab looks like this: # grep tmp /etc/fstab /dev/mapper/root_vg-tmp_lv /tmp ext3 defaults,noexec,nosuid 0 2 It works OK. Regarding var, I wouldn't do it. Some files need execute permissions. Others might have another opinion, though. And /home, well, some of us like to have /home/${USER}/.dist/bin or something similar in our ${PATHS}, so it depends on your setup. HTH. -- Huella de clave primaria: 0FDA C36F F110 54F4 D42B D0EB 617D 396C 448B 31EB |
Making /tmp noexec
On 2010-11-12 14:30 +0100, James Allsopp wrote:
> Hi, > I was reading this page about making tmp non-executable > (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a > little out of date as I'm using Squeeze. > > I changed fstab, and edited by 70debconf to > > DPkg::Pre-Install-Pkgs {"mount -o remount,exec > /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";}; > DPkg::Post-Invoke{"mount -o remount /tmp";}; A better option would be to set APT::ExtractTemplates::TempDir to a directory where programs can be executed. See apt-extracttemplates(1). > is this correct? Aptitude still works fine, but I was wondering if > anyone had experience of pitfalls with this? While dpkg is running, programs in /tmp are executable. If you're paranoid enough, this may worry you. > Would I replicate this for my /var partition If you do this, you have to relocate /var/lib/dpkg/info to another filesystem and bind-mount or symlink it so that the package maintainer scripts can be run. > and is there any point to doing this with /home? It may help a little if you cannot trust your users, but note that they can still run (at least) shell, perl and awk scripts by invoking the interpreter. Sven -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 8739r65izf.fsf@turtle.gmx.de">http://lists.debian.org/8739r65izf.fsf@turtle.gmx.de |
Making /tmp noexec
This is more of an F-MY-I question, but if the /tem dir is a separate partition and your using a mount command in fstab, could you limit the execute capabilities via umask?
I would think umask=111 would set the directory world read and write with no Execute permissions *NOTE* I don't fully understand umask number permissions other than the effect that they are reverse of chmod numbers and 000 is world read/write/execute, since execute is value 1 in chmod I assume by counting 111 your telling umask to EXCLUDE execute, may need to look up umask values TeddyB -----Original Message----- From: Sven Joachim <svenjoac@gmx.de> Date: Fri, 12 Nov 2010 22:29:08 To: <debian-user@lists.debian.org> Subject: Re: Making /tmp noexec On 2010-11-12 14:30 +0100, James Allsopp wrote: > Hi, > I was reading this page about making tmp non-executable > (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a > little out of date as I'm using Squeeze. > > I changed fstab, and edited by 70debconf to > > DPkg::Pre-Install-Pkgs {"mount -o remount,exec > /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";}; > DPkg::Post-Invoke{"mount -o remount /tmp";}; A better option would be to set APT::ExtractTemplates::TempDir to a directory where programs can be executed. See apt-extracttemplates(1). > is this correct? Aptitude still works fine, but I was wondering if > anyone had experience of pitfalls with this? While dpkg is running, programs in /tmp are executable. If you're paranoid enough, this may worry you. > Would I replicate this for my /var partition If you do this, you have to relocate /var/lib/dpkg/info to another filesystem and bind-mount or symlink it so that the package maintainer scripts can be run. > and is there any point to doing this with /home? It may help a little if you cannot trust your users, but note that they can still run (at least) shell, perl and awk scripts by invoking the interpreter. Sven -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/8739r65izf.fsf@turtle.gmx.de |
Making /tmp noexec
On Fri, 12 Nov 2010 13:40:02 +0100 James Allsopp wrote:
> I was reading this page about making tmp non-executable > (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a > little out of date as I'm using Squeeze. > > I changed fstab, and edited by 70debconf to > > DPkg::Pre-Install-Pkgs {"mount -o remount,exec > /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";}; > DPkg::Post-Invoke{"mount -o remount /tmp";}; I would test first, if apt even needs /tmp to be executable. I run it with /tmp non-exec and don't have any problems with it. Simon -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: ibmc35$ohp$00$1@news.t-online.com">http://lists.debian.org/ibmc35$ohp$00$1@news.t-online.com |
Making /tmp noexec
Op 13-11-10 16:49, Simon Brandmair schreef:
> On Fri, 12 Nov 2010 13:40:02 +0100 James Allsopp wrote: >> I was reading this page about making tmp non-executable >> (http://pario.no/2007/10/04/making-tmp-non-executable/) but it seems a >> little out of date as I'm using Squeeze. >> >> I changed fstab, and edited by 70debconf to >> >> DPkg::Pre-Install-Pkgs {"mount -o remount,exec >> /tmp";"/usr/sbin/dpkg-preconfigure --apt || true";}; >> DPkg::Post-Invoke{"mount -o remount /tmp";}; > > I would test first, if apt even needs /tmp to be executable. I run it > with /tmp non-exec and don't have any problems with it. Some packages do need an executable temp to run temporary scripts. Usually there's no mayhem, bet errors are spawn. To solve this, follow the method above or add to /etc/apt/apt.conf DPkg::Pre-Invoke{"mount -o remount,exec /tmp"} DPkg::Post-Invoke{"mount -o remount /tmp"} That works flawlessly. Sjoerd |
Making /tmp noexec
On Sat, 13 Nov 2010 03:34:36 +0000
teddieeb@tmo.blackberry.net wrote: > > This is more of an F-MY-I question, but if the /tem dir is a separate partition and your using a mount command in fstab, could you limit the execute capabilities via umask? > > I would think umask=111 would set the directory world read and write with no > Execute permissions > Couldn't you use the noexec option in fstab? That way you wouldn't have to mess with umasks, and i *think* it is more secure - a file in mode 666 can still be executed with /lib/ld*.so 'cmd'. -- rbmj -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20101113160010.872abff7.rbmj@verizon.net">http://lists.debian.org/20101113160010.872abff7.rbmj@verizon.net |
| All times are GMT. The time now is 09:32 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.